Unsanitized input returned in response is conducive to XSS exploitation in flatpressblog/flatpress
Dec 20th 2022
Reviewing the source code we identified the use of the PHP functions ctype_alnum and preg_match for the fields mentioned above, however these functions do not prevent the error variable ($err) from collecting the user's data entries in an integral way.
Proof of Concept
To exploit this vulnerability follow the steps below:
- 1.- Download FlatPress version 1.2.1 and upload it to your web server.
- 2.- From the browser start the simple installation process.
- 3.- In the "Create user" form identify the vulnerable fields (fpuser) and insert the following payload:
- 4.- Click on the Next button. If you make an invalid insertion you will get an error message for each field. Your payload will be executed.
This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.