Our research team in KAIST WSP Lab found a reflected vulnerability in ICEcoder 8.0.
- Steps to reproduce the report
1. Login to the website
2. Go to the link: http://[server]/icecoder/lib/multiple-results.php?csrf=[CSRF or Session Token]&replace=123%27)%3Cscript%3Ealert(1);%3C/script%3E
* Note that a CSRF token sent via GET is a considered harmful because the HTTP referer can leak the data to an 3rd party domain.
OWAP recommended that "CSRF tokens in GET requests are potentially leaked at several locations, such as the browser history, log files, network appliances that log the first line of an HTTP request, and Referer headers if the protected site links to an external site."
Based on these information, we assumed that we can get CSRF tokens of the victims.
- Screen shot