Reflected Cross-Site Scripting (XSS)

[c3l3si4n]

Description Improper validation of user input leads to a reflected cross-site scripting (XSS) or HTML injection in the Vexim2 web application. If a user inserts JavaScript or HTML code into certain parameters, the specified payload will be executed on the page load.

Expected Specifying potentially malicious client-side code should not be executed in the web application by the browser.

Actual The browser successfully executes the specified JS or HTML payloads if a malicious url is opened.

Steps to reproduce

1. log in as Administrator on vexim
2. Open the following URL and notice an XSS Pop-up showing up.

http://127.0.0.1/admingroupdelete.php?group_id=1&localpart=test%27%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Ca%20a=%27

Impact This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack.

[runout-at]

I can confirm this for 'postmaster' and 'siteadmin' accounts.

Thanks for reporting.

Some years ago i started a web-gui in python #254. Maybe this would be better than the php scripts. But it still needs testing. https://gitlab.com/runout/veximpy