SDK für PHP-Entwickler um die Arbeit mit der API von ImmobilienScout24 zu vereinfachen. Über die API erhält man Ergebnislisten, Objektdaten, uvm. von ImmobilienScout und kann diese Daten inhherhalb seines Webservice integrieren. Die Dokumentation zum SDK findet man unter https://github.com/Immocaster/php-sdk/wiki.
Hello:
I found a Reflected XSS vulnerability in this sdk.
The vulnerability exists due to insufficient filtration of user-supplied data in “token_secret” HTTP REQUEST parameter that will be passed to “restapi-php-sdk-master\Immocaster\Oauth\example\client.php”. The infected source code is line 7, there is no protection on $_REQUEST['token_secret'];
if $_REQUEST['token_secret'] contains evil js code, line 102 will trigger untrusted code to be excuted on the browser side
Hello: I found a Reflected XSS vulnerability in this sdk.
The vulnerability exists due to insufficient filtration of user-supplied data in “token_secret” HTTP REQUEST parameter that will be passed to “restapi-php-sdk-master\Immocaster\Oauth\example\client.php”. The infected source code is line 7, there is no protection on $_REQUEST['token_secret'];
if $_REQUEST['token_secret'] contains evil js code, line 102 will trigger untrusted code to be excuted on the browser side
So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil. http://your-web-root/restapi-php-sdk-master/Immocaster/Oauth/example/client.php?token_secret="> Githubissues.