Login page is vulnerable to XSS user?redirectUri="><img%20src=x%20onerror=alert(1)>
Make sure to filter the redirectUri parameter.
ahussam
All 9 comments
Thanks again
DanielnetoDotCom
on 22 May 2020
This issue won't be fixed with your patch since an attacker can pass a valid URL with XSS vector in the parameter e.g http://www.google.com/?x="><img src=x onerror=alert(1)>
@DanielnetoDotCom
ahussam
on 22 May 2020
I tried it here and does not seem to have any effect https://demo.avideo.com/user?redirectUri=http://www.google.com/?x=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
DanielnetoDotCom
on 22 May 2020
Check this vector:
https://demo.avideo.com/user?redirectUri=http://www.google.com/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
@DanielnetoDotCom
ahussam
on 22 May 2020
Thanks, what about now?
DanielnetoDotCom
on 22 May 2020
Fixed
ahussam
on 22 May 2020
Just curious why not sanitize?
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
ronaldod
on 22 May 2020
I did not know that.
but do you think it worth filter all post array? maybe add this only for some specific vars?
DanielnetoDotCom
on 22 May 2020
Depending on the expecting chars that are passed you can sanitize the whole post. It is worth the investigation. Now you are blacklisting instead of whitelisting.
ronaldod
on 22 May 2020
Related issues
akhilleusuggo
路
3Comments
syldri
路
3Comments
gujarraju
路
4Comments
moses268
路
3Comments
ganddser
路
3Comments