uBidAuction Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in uBidAuction version 2.0.1, specifically within the 'auctions/myAuctions/status/loose' module. The vulnerability arises from improper sanitization of the 'date_created', 'date_from', 'date_to', and 'created_at' parameters in the filter functionality. This oversight allows remote attackers to inject malicious scripts via crafted GET requests, which are executed in the browsers of victims.

Impact

Exploitation of this vulnerability allows for session hijacking, non-persistent phishing attacks, external redirects to malicious sources, and manipulation of affected application modules.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'auctions/myAuctions/status/loose' module with injected scripts in the 'date_created', 'date_from', 'date_to', or 'created_at' parameters. This can be done using a web browser or a tool that allows for the modification of GET request parameters.

Remediation

The vulnerability can be addressed by implementing proper input validation and output sanitization for the affected parameters. Disallow special characters in the 'date_created', 'date_from', 'date_to', and 'created_at' parameters on GET requests, and sanitize the output in the filter module to prevent script execution.