CVE-2023-1106: Unsanitized input returned in response is conducive to XSS exploitation in flatpress

Description

During the initial installation process it was identified that the “Create user” form that collects user data, does not properly sanitize the data entry and then prints them on the screen with an error message without any apparent validation, thus allowing the insertion of HTML or JavaScript code that allows the exploitation of Cross-Site Scripting (XSS). The vulnerable fields are: fpuser, email and www, all of them are sent through a POST request and are located in the file: main.lib.php.

Reviewing the source code we identified the use of the PHP functions ctype_alnum and preg_match for the fields mentioned above, however these functions do not prevent the error variable ($err) from collecting the user’s data entries in an integral way.

Proof of Concept

To exploit this vulnerability follow the steps below:

• 1.- Download FlatPress version 1.2.1 and upload it to your web server.

• 2.- From the browser start the simple installation process.

• 3.- In the “Create user” form identify the vulnerable fields (fpuser) and insert the following payload:

  <script>alert(‘XSS’)</script>

• 4.- Click on the Next button. If you make an invalid insertion you will get an error message for each field. Your payload will be executed.

Impact

This vulnerability allows attackers to steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks.

Occurrences

References

• https://cwe.mitre.org/data/definitions/20.html
• https://cwe.mitre.org/data/definitions/116.html
• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet