Possible XSS vilnerability

[enferas]

Hello,

I would like to report for XSS vulnerability.

The path of the vulnerability:

In file https://github.com/IssabelFoundation/issabelPBX/blob/master/backup/page.backup_restore.php

// line 16
$var[$k] = isset($_REQUEST[$k]) ? $_REQUEST[$k] : $v;
// line 143
dbug($_SESSION['backup_restore_path'], $var);

In file customappsreg/functions.inc.php https://github.com/IssabelFoundation/issabelPBX/blob/master/framework/amp_conf/htdocs/admin/libraries/utility.functions.php

// line 296
function dbug(){
    // ...
    $opts = func_get_args();
       // ...

    switch (count($opts)) {
        case 1:
            $msg        = $opts[0];
            break;
        case 2:
            if ( is_array($opts[0]) || is_object($opts[0]) ) {
                $msg    = $opts[0];
                $dump   = $opts[1];
            } else {
                $disc   = $opts[0];
                $msg    = $opts[1];
            }
            break;
        case 3:
            $disc       = $opts[0];
            $msg        = $opts[1];
            $dump       = $opts[2];
            break;
    }
        // ...
      if ($dump==1) {//force output via var_dump
        ob_start();
        var_dump($msg);
        $msg=ob_get_contents();
        ob_end_clean();
        dbug_write($msg."\n\n\n");
    } elseif(is_array($msg) || is_object($msg)) {
        dbug_write(print_r($msg,true)."\n\n\n");
    } else {
        dbug_write($msg."\n\n\n");
    }

}

$msg carry the value from $_REQUEST without sanitization. Then there is XSS vulnerability.

[enferas]

CVE-2021-43695 is assigned for this discovery.

An unspecified version of issabelPBX is affected by a Cross Site Scripting (XSS) vulnerability. In file page.backup_restore.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST without sanitization, then there is a XSS vulnerability.