In limited circumstances, $_SERVER['REQUEST_URI'] can be considered a dangerous source of user input, and as such, can cause reflected XSS. Normally, browsers URL-encode the path before sending the request to the server. However, reverse proxies sometimes decode the path before forwarding it to the server. A request such as http://wpdistillery.vm/wp-admin/index.php/abc%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?page=bctt-welcome&step=bctt-setup with an nginx configuration such as
will lead to reflected cross-site scripting. If an administrator were to visit a malicious URL provided by an attacker, the attacker would have the ability to perform most administrative actions and read most data available to the administrator.
Benunc
commented
2 years ago
In limited circumstances,
$_SERVER['REQUEST_URI']can be considered a dangerous source of user input, and as such, can cause reflected XSS. Normally, browsers URL-encode the path before sending the request to the server. However, reverse proxies sometimes decode the path before forwarding it to the server. A request such ashttp://wpdistillery.vm/wp-admin/index.php/abc%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E?page=bctt-welcome&step=bctt-setupwith an nginx configuration such aswill lead to reflected cross-site scripting. If an administrator were to visit a malicious URL provided by an attacker, the attacker would have the ability to perform most administrative actions and read most data available to the administrator.