iBarn
iBarn copied to clipboard
zhimengzhe
iBarn v1.5 has a reflected XSS vulnerability
Summary
A reflected Cross Site Scripting (XSS) vulnerability exists in iBarn v1.5 due to improper sanitization of the $search parameter in the html/index.php, html/pay.php, and html/own.php files. Although the htmlspecialchars function is used to encode HTML entities, the developers utilized the flag ENT_NOQUOTES, which does not encode single or double quotes, leading to the vulnerability.
Details
The misuse of the htmlspecialchars function allows the injection of JavaScript code into the search field, which can be exploited for XSS attacks.
html/index.php:
<input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">
html/pay.php:
<input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="搜你想要">
html/own.php:
<input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">
Proof of Concept (PoC)
http(s)://ip:port/index.php?search=1%22%20onmouseover=alert(document.cookie)%20bad=%221
Differentiation from CVE-2024-26471
This vulnerability is distinct from CVE-2024-26471 as it specifically targets the $search parameter processed through the htmlspecialchars function and then bypasses filtering.
Although CVE-2024-26471 only mentioned that the search field in html/offer.php lacks any filtering, our investigation revealed that several other pages (shareme.php, recycle.php, collection.php, pub.php, myshare.php) also do not filter the $search parameter, leading to multiple cross-site scripting (XSS) vulnerabilities.
