Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.8.6
    • Component/s: Frontend (F)
    • Labels:
      None
    • Environment:
      Any

      Description

      The acknow.php page is vulnerable to reflected XSS attacks. The following section of code doesn't sanitize data properly:

      if(isset($_REQUEST['saveandreturn']))

      { $url = new CUrl(urldecode($_REQUEST['backurl'])); jsRedirect($url->getUrl()); exit(); }

      The $_REQUEST['backurl'] parameter can be manipulated to perform the XSS attack. Using a proxy capture the parameters request and replace the backurl parameter with the following: </script><script>alert('XSS');</script> (see attachment for PoC).

      Fix: Sanitze the backurl request parameter and don't assume the user is going to leave the <url>.php in place

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              infosec01 Damian Tommasino
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: