Reflected Cross-Site Scripting (XSS) vulnerability in fabrik_referrer (CVE-2018-10727)

[dcianciulli]

Issue description

A reflected Cross-Site Scripting (XSS) vulnerability in fabrik_referrer hidden input field in fabrik forms allows remote attackers to inject arbitrary scripts via the unsanitized HTTP Referrer header.

Example

Given a fabrik form URL, for example http://www.foo.bar.com/vulnerable-form.html that contains an input field such as <input type="hidden" name="fabrik_referrer" value="http://sample.referrer.com" />, it is possible to reproduce the vulnerability by changing the referrer, for example with http://sample.referrer.com"accesskey="x"onclick="alert(1).

This may be possible via the following cURL command:

curl -H 'Referer: http://sample.referrer.com"accesskey="x"onclick="alert(1)' 'http://www.foo.bar.com/vulnerable-form.html'

CVE ID

CVE-2018-10727

Credits

Danilo Cianciulli*
Paolo Di Notte*
*: Koine Srl

[cheesegrits]

Thanks, I'll get that fixed and reference this issue when I commit it.

[dcianciulli]

Dear @cheesegrits , are there any news for this issue? Has it been resolved?

[OS-WS]

Hi, @cheesegrits ,
Is there any update here?
Was it fixed?