GamePanelX-V3 – Cross-Site Scripting (XSS)

[bestshow]

Product: GamePanelX-V3 Download: https://github.com/devryan/GamePanelX-V3 Vunlerable Version: 3.0.12 and probably prior Tested Version: 3.0.12 Author: ADLab of Venustech

Advisory Details: A Cross-Site Scripting (XSS) was discovered in“GamePanelX-V3 3.0.12”, which can be exploited to execute arbitrary code. The vulnerability exists due to insufficient filtration of user-supplied data in the “a” HTTP GET parameter passed to the “GamePanelX-V3-master/ajax/ajax.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox: Poc: http://localhost/.../GamePanelX-V3-master/ajax/ajax.php?a=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22

[bestshow]

Excuse me, is there anyone dealing with this issue?

[devryan]

Looking at this.

[devryan]

@bestshow did you actually see an alert window pop up?

I get the standard "ERROR: Invalid ajax action "\"><\""!" which occurs if the ?a parameter is not in the supported list of actions.

It bails out here in ajax.php (https://github.com/devryan/GamePanelX-V3/blob/master/ajax/ajax.php#L29):

if(!in_array($this_request, $allowed_reqs)) die('ERROR: Invalid ajax action "' . $this_request . '"!');

[bestshow]

I tested this issue on firefox latest version in win7.

[devryan]

I have updated this and setup a pull request: https://github.com/devryan/GamePanelX-V3/pull/164

Can you test from here and confirm the bug is gone?

[bestshow]

You have fixed it,the vulnerbility is gone now.

[devryan]

Merged the fix into master branch, closed the branch: https://github.com/devryan/GamePanelX-V3/commit/2f78f27727da4216587d46a0be13ffc71f9267a2

Thanks for reporting, @bestshow !

[bestshow]

@devryan Thanks for replying, you`re welcome.