Skip to content

A Reflected XSS vulnerability in this sdk #43

Description

@jgj212

Hello:
I found a Reflected XSS vulnerability in this sdk.

The vulnerability exists due to insufficient filtration of user-supplied data in “token_secret” HTTP REQUEST parameter that will be passed to “restapi-php-sdk-master\Immocaster\Oauth\example\client.php”. The infected source code is line 7, there is no protection on $_REQUEST['token_secret'];
code1

if $_REQUEST['token_secret'] contains evil js code, line 102 will trigger untrusted code to be excuted on the browser side
code2

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/restapi-php-sdk-master/Immocaster/Oauth/example/client.php?token_secret="><script>alert(1)

The follow screenshot is the result to click the upper url ( win7 sp1 x64 + firefox 51.0.1 32bit ):

sc

Discoverer: ADLab of Venustech

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions