CVE-2024-26472 - Exploiting Reflected XSS in KLiK SocialMediaWebsite v1..1 (msaads1999)

Date: 2024-06-23

Introduction

Recently, a new security vulnerability, CVE-2024-26472, was discovered in KLiK SocialMediaWebsite version 1..1 by msaad1999. This popular open-source social media platform has an issue with input validation on its password reset (create-new-pwd.php) page, which opens the door for a reflected cross-site scripting (XSS) attack via the selector or validator URL parameters.

In this post, I'll explain how this bug works, show a simple proof-of-concept (PoC), and give tips on how users and site owners can protect against attacks.

What Is Reflected XSS?

Reflected XSS happens when a web application sends untrusted data to a web browser without properly validating or escaping it. This lets an attacker inject harmful JavaScript directly into the user's browser, hijack sessions, steal sensitive information, or even deface the site.

In the case of KLiK SocialMediaWebsite, the vulnerability exists because the selector and validator GET parameters are echoed in the HTML page without any escaping.

The Vulnerability

File Affected:
/create-new-pwd.php (in the root directory).

Parameters Vulnerable:

When a user clicks on a password reset link, these two parameters are passed in the URL

https://example.com/create-new-pwd.php?selector=<value>&validator=<value>;

Because the page doesn't sanitize these, any value passed here will be reflected on the page.

Malicious Link Example

https://targetsite.com/create-new-pwd.php?selector=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&validator=abc

When a victim clicks this link or is tricked to visit it, the following might happen in their browser:

- The JavaScript <script>alert('XSS')</script> is executed.

Simplified Code Snippet From create-new-pwd.php

<?php
$selector = $_GET["selector"];
$validator = $_GET["validator"];
?>
<html>
<body>
<form action="process-pwd-reset.php" method="post">
  <input type="hidden" name="selector" value="<?php echo $selector; ?>">
  <input type="hidden" name="validator" value="<?php echo $validator; ?>">
  <!-- more form fields... -->
  <button type="submit">Reset Password</button>
</form>
</body>
</html>

There is no escaping/sanitization on $selector or $validator before output. Anything in the URL is placed in the HTML as-is.

`

https://targetsite.com/create-new-pwd.php?selector=%3Cscript%3Ealert('Gotcha!')%3C/script%3E&validator=xyz

`html

Mitigation

To prevent this attack, the developer should sanitize user input before output. In PHP, use htmlspecialchars:

<input type="hidden" name="selector" value="<?php echo htmlspecialchars($selector); ?>">
<input type="hidden" name="validator" value="<?php echo htmlspecialchars($validator); ?>">

Also, consider validating that selector and validator only contain allowed characters (e.g., hex digits for tokens).

References

- GitHub Repo: KLiK SocialMediaWebsite (msaads1999)
- CVE-2024-26472 at NVD *(pending full entry)*
- OWASP XSS Cheat Sheet
- XSS Explained - portswigger.net

Conclusion

CVE-2024-26472 is a classic reflected XSS bug, but it's serious because it can be easily exploited by attackers to compromise accounts. It's a reminder: never trust user input, always sanitize and escape before rendering in HTML. If you use KLiK SocialMediaWebsite, patch your code today!

Timeline

Published on: 02/29/2024 01:44:19 UTC
Last modified on: 10/31/2024 16:35:08 UTC