CVE-2022-0678

Description

The microweber is cms of E-commerce. When user do logout, occur the reflected xss because not escaping of double quote for $redirect_to parameter in the back-end.

1
2
3
4
5
6
7
8
9
        $redirectUrl = str_replace("\r", "", $redirectUrl);
        $redirectUrl = str_replace("\n", "", $redirectUrl);

+       $clearInput = new HTMLClean();
+       $redirectUrl = $clearInput->clean($redirectUrl);
+
        if (headers_sent()) {
            echo '<meta http-equiv="refresh" content="0;url=' . $redirectUrl . '">';
        } else {

This issue was fixed that add $clearInput->clean() function.

Proof of Concept

1
2
1. Login as to any account.
2. Go to https://<server>/demo/api/logout?redirect_to=/asdf"><iframe onload=alert(document.domain)>

Reporting Timeline

  • 2022-02-18 15h 48m : Reported this issue via the huntr
  • 2022-02-18 19h 48m : Validated this issue by Peter Ivanov
  • 2022-02-18 19h 48m : Patched this issue by Peter Ivanov
  • 2022-02-18 19h 48m : Assigned a CVE-2022-0678

Reference