PHP Server Monitor v3.5.2 - Stored XSS

Summary

NamePHP Server Monitor v3.5.2 - Stored XSS
Code nameGilmour
ProductPHP Server Monitor
Affected versionsv3.5.2
StatePublic
Release date2022-03-07

Vulnerability

KindStored cross-site scripting (XSS)
Rule010. Stored cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score4.8
Exploit availableNo
CVE ID(s)CVE-2022-23044

Description

PHP Server Monitor v3.5.2 allows an authenticated admin user to inject Javascript code inside the "ip" parameter while adding a new website to monitor.

Proof of Concept

Steps to reproduce

  1. Go to the 'Servers' tab.

  2. Click on 'Add new'.

  3. Fill the 'Label' field.

  4. Select 'Website' as the type.

  5. Fill the 'Domain/IP' field using one of the following POCs.

        https://www.example.com" onmouseover=alert(1)>
        https://www.example.com" style="display: block; position: fixed; top: 0; left: 0; z-index: 99999; width: 9999px; height: 9999px;" onmouseover=alert('XSS')> (To avoid user interaction)
    
  6. The javascript code will be executed when a user visits the 'Servers' tab again.

System Information

  • Version: PHP Server Monitor v3.5.2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

By 2022-03-07 there is not a patch resolving the issue.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://www.phpservermonitor.org/

Issue https://github.com/phpservermon/phpservermon/issues/1178

Timeline

Time-lapse-logo

2022-01-11

Vulnerability discovered.

Time-lapse-logo

2022-01-11

Vendor contacted.

Time-lapse-logo

2022-01-17

Vendor replied acknowledging the report.

Time-lapse-logo

2022-03-07

Public Disclosure.