d8ahazard / FlexTV

Other
215 stars 32 forks source link

[Security] XSS in index.php of Phlex and FlexTV #37

Open seongil-wi opened 3 years ago

seongil-wi commented 3 years ago

1. Are you hosting your own version of Flex TV, or using the one at https://app.phlexchat.com?

Yes

2. On what OS are you running Flex TV?

Ubuntu

3. Are you using a new instance of XAMPP, or an existing webserver?

Apache 2.4.29, Turn on the AcceptPathInfo in apache2.conf

3b. If not XAMPP, what WebServer stack are you using?

No

4. Have you enabled the sockets module and ensured PHP has write-access to the directory containing Flex TV?

Yes

Description:

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

Steps To Reproduce:

  1. Go to the page with the following link: http://[server]/FlexTV/index.php/');alert('1
  2. Boom!

Where the Issue Occurred The code below displays the user-controlled input PHP_SELF in index.php without sufficient sanitization: https://github.com/d8ahazard/FlexTV/blob/247d30d6c6737e517862710188b302d6a72a673c/index.php#L389

For Phlex: https://github.com/d8ahazard/Phlex/blob/0a87855726cbce49d0ca84c1a7432f7a3a0458e1/index.php#L237

d8ahazard commented 3 years ago

So, the XSS stuff was created when I decided it would be neat to make Flex TV implement a "page manager" feature, where you can add different tabs for apps directly to the UI.

Unfortunately, I am no longer developing the PHP version of Flex TV. Heck the linking API has been broken for the better part of a year thanks to Google and DialogFlow.

As such, I do have plans to re-create the application again, this time in dotnet. Whenever that comes to fruition, this won't be an issue, simply because it won't be using PHP any more and probably not feature the "page manager" bit. Or, if it does, it won't be through hacky iFrame stuff.

On Sun, Sep 12, 2021 at 9:14 PM Seongil Wi @.***> wrote:

  1. Are you hosting your own version of Flex TV, or using the one at https://app.phlexchat.com?

Yes

  1. On what OS are you running Flex TV?

Ubuntu

  1. Are you using a new instance of XAMPP, or an existing webserver?

Apache 2.4.29, Turn on the AcceptPathInfo in apache2.conf 3b. If not XAMPP, what WebServer stack are you using?

No

  1. Have you enabled the sockets module and ensured PHP has write-access to the directory containing Flex TV?

Yes Description:

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim. Steps To Reproduce:

  1. Go to the page with the following link: http:// [server]/FlexTV/index.php/');alert('1
  2. Boom!

Where the Issue Occurred The code below displays the user-controlled input PHP_SELF in index.php without sufficient sanitization:

https://github.com/d8ahazard/FlexTV/blob/247d30d6c6737e517862710188b302d6a72a673c/index.php#L389

For Phlex:

https://github.com/d8ahazard/Phlex/blob/0a87855726cbce49d0ca84c1a7432f7a3a0458e1/index.php#L237

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/d8ahazard/FlexTV/issues/37, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMO4NFRDEPLD37YVGEG6WTUBVM7PANCNFSM5D4YUESA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.