XSS in multiple-results.php

[Seongil Wi]

Hi, 

Our research team in KAIST WSP Lab found a reflected vulnerability in ICEcoder 8.0.

- Description: A reflected XSS vulnerability was identified in the multipe-results.php page due to insufficient sanitization of the _GET['replace'] variable. As a result, arbitrary Javascript code can get executed.

- Steps to reproduce the report

1. Login to the website

2. Go to the  link: http://[server]/icecoder/lib/multiple-results.php?csrf=[CSRF or Session Token]&replace=123%27)%3Cscript%3Ealert(1);%3C/script%3E

3. Boom!

* Note that a CSRF token sent via GET is a considered harmful because the HTTP referer can leak the data to an 3rd party domain.

OWAP recommended that "CSRF tokens in GET requests are potentially leaked at several locations, such as the browser history, log files, network appliances that log the first line of an HTTP request, and Referer headers if the protected site links to an external site."

Based on these information, we assumed that we can get CSRF tokens of the victims.  

- Screen shot