The following vulnerable code and PoC were utilised to obtain cookies with the HttpOnly option set, exposed in debug error message, through an XSS vulnerability.
Vulnerable code:
<?php
namespace app\index\controller;
use app\index\model\User;
class Index
{
public function index(**array $params**)
{
setcookie("PHPSESSION", "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", time()+3600, "/", "", 0);
echo "session " . session_id("PHPSESSION");
}
}
It was observed that the debug error output source code (think_exception.tpl) is vulnerable due to inadequate filtering of function argument values. This vulnerability may render the debug pages susceptible to the extraction of critical information, such as HTTP cookies and file information, through reflected XSS attacks. This vulnerability occurs under specific conditions, particularly when a web server accepts user input as an argument, resulting in the occurrence of errors.
Code: /tpl/think_exception.tpl
Affected Version: v5.0.9
Screenshot #2:
Code: src/tpl/think_exception.tpl
Affected Version: v8.0.3
Screenshot #3:
Implication
Cross-site scripting (XSS) vulnerabilities enable the execution of malicious JavaScript code that has been inserted by an attacker. This poses significant security risks as it allows for a range of attacks, including session hijacking, theft of sensitive information, internal port scanning, defacement, phishing, keylogging, and unauthorized actions on behalf of the victim.
One common method of exploiting reflected cross-site scripting vulnerabilities occurs when victims unwittingly click on a specially crafted URL containing embedded XSS payloads. These URLs can be disseminated through various channels such as instant messaging, emails, or comments on websites.
In this scenario, an attacker could craft an exploitable link to execute JavaScript code on the debug page. As a result, the debug pages become vulnerable to reflected XSS attacks, enabling the extraction of critical information such as HTTP cookies, file information, and more.
Remediation
It is recommended to encode the affected values(args, class, function etc) to HTML Entity Encode.
其它说明
The discovery was made by Seryun (Seryeon) Ham from Bitdefender. If you have any questions or require further information, please leave a comment. Additionally, I have registered the finding on the CVE website. Please confirm whether it is possible to disclose this vulnerability via CVE website.
所属功能组件
异常(Exception)
ThinkPHP 版本
up to the latest version
操作系统
Debian
错误信息
The following vulnerable code and PoC were utilised to obtain cookies with the HttpOnly option set, exposed in debug error message, through an XSS vulnerability.
Vulnerable code:
Affected version: 5.0.9
The following request, response and screenshot evidence successful execution of the JavaScript payload.
Request:
Response:
Screenshot #1:
It was observed that the debug error output source code (think_exception.tpl) is vulnerable due to inadequate filtering of function argument values. This vulnerability may render the debug pages susceptible to the extraction of critical information, such as HTTP cookies and file information, through reflected XSS attacks. This vulnerability occurs under specific conditions, particularly when a web server accepts user input as an argument, resulting in the occurrence of errors.
Code: /tpl/think_exception.tpl
Affected Version: v5.0.9
Screenshot #2:
Code: src/tpl/think_exception.tpl
Affected Version: v8.0.3
Screenshot #3:
Cross-site scripting (XSS) vulnerabilities enable the execution of malicious JavaScript code that has been inserted by an attacker. This poses significant security risks as it allows for a range of attacks, including session hijacking, theft of sensitive information, internal port scanning, defacement, phishing, keylogging, and unauthorized actions on behalf of the victim.
One common method of exploiting reflected cross-site scripting vulnerabilities occurs when victims unwittingly click on a specially crafted URL containing embedded XSS payloads. These URLs can be disseminated through various channels such as instant messaging, emails, or comments on websites.
In this scenario, an attacker could craft an exploitable link to execute JavaScript code on the debug page. As a result, the debug pages become vulnerable to reflected XSS attacks, enabling the extraction of critical information such as HTTP cookies, file information, and more.
It is recommended to encode the affected values(args, class, function etc) to HTML Entity Encode.
其它说明
The discovery was made by Seryun (Seryeon) Ham from Bitdefender. If you have any questions or require further information, please leave a comment. Additionally, I have registered the finding on the CVE website. Please confirm whether it is possible to disclose this vulnerability via CVE website.