Unsanitized input returned in response is conducive to XSS exploitation in flatpressblog/flatpress

Valid

Reported on

Dec 20th 2022


Description

During the initial installation process it was identified that the "Create user" form that collects user data, does not properly sanitize the data entry and then prints them on the screen with an error message without any apparent validation, thus allowing the insertion of HTML or JavaScript code that allows the exploitation of Cross-Site Scripting (XSS). The vulnerable fields are: fpuser, email and www, all of them are sent through a POST request and are located in the file: main.lib.php.

PoC Reviewing the source code we identified the use of the PHP functions ctype_alnum and preg_match for the fields mentioned above, however these functions do not prevent the error variable ($err) from collecting the user's data entries in an integral way.

PoC

Proof of Concept

To exploit this vulnerability follow the steps below:

  • 1.- Download FlatPress version 1.2.1 and upload it to your web server.
  • 2.- From the browser start the simple installation process.
  • 3.- In the "Create user" form identify the vulnerable fields (fpuser) and insert the following payload:
<script>alert('XSS')</script>
  • 4.- Click on the Next button. If you make an invalid insertion you will get an error message for each field. Your payload will be executed. PoC

Impact

This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Juampa Rodríguez modified the report
a year ago
Juampa Rodríguez modified the report
a year ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago
flatpressblog/flatpress maintainer validated this vulnerability a year ago

Thanks for reporting!

und3sc0n0c1d0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 5f23b4 a year ago
The fix bounty has been dropped
main.lib.php#L108-L113 has been validated
main.lib.php#L98-L99 has been validated
Juampa
a year ago

Researcher


Thank you very much for your prompt response and actions taken. @admin, I'll be glad if you can assign this new CVE. Merry Christmas to all!!

Pavlos
a year ago

Admin


Your CVE will be assigned and published on Mar 1st :)

This vulnerability has now been published a year ago
to join this conversation