Summary

A reflected Cross Site Scripting (XSS) vulnerability exists in iBarn v1.5 due to improper sanitization of the $search parameter in the html/index.php, html/pay.php, and html/own.php files. Although the htmlspecialchars function is used to encode HTML entities, the developers utilized the flag ENT_NOQUOTES, which does not encode single or double quotes, leading to the vulnerability.

Details

The misuse of the htmlspecialchars function allows the injection of JavaScript code into the search field, which can be exploited for XSS attacks.

html/index.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">

html/pay.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="搜你想要">

html/own.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">

Proof of Concept (PoC)

http(s)://ip:port/index.php?search=1%22%20onmouseover=alert(document.cookie)%20bad=%221

Differentiation from CVE-2024-26471

This vulnerability is distinct from CVE-2024-26471 as it specifically targets the $search parameter processed through the htmlspecialchars function and then bypasses filtering. Although CVE-2024-26471 only mentioned that the search field in html/offer.php lacks any filtering, our investigation revealed that several other pages (shareme.php, recycle.php, collection.php, pub.php, myshare.php) also do not filter the $search parameter, leading to multiple cross-site scripting (XSS) vulnerabilities.

Hebing123 / cve

iBarn v1.5 has a reflected XSS vulnerability #49

Summary

Details

Proof of Concept (PoC)

Differentiation from CVE-2024-26471