uBidAuction Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in uBidAuction version 2.0.1, specifically within the backend/mailingLog/manage module. The vulnerability arises from improper sanitization of the date_created, date_from, date_to, and created_at parameters in the filter functionality. This oversight allows remote attackers to inject malicious scripts through crafted GET requests, which are then executed in the browsers of the victims.

Impact

Exploitation of this vulnerability allows for session hijacking, non-persistent phishing attacks, external redirects to malicious sources, and manipulation of the affected application modules.

Reproduction

The vulnerability can be reproduced by sending a GET request to the backend/mailingLog/manage module with injected scripts in the date_created, date_from, date_to, or created_at parameters. This can be done using a web browser or a tool that allows for the modification of request parameters, such as Burp Suite.

Remediation

To address this vulnerability, uBidAuction users should update to the latest version and ensure that the date_created, date_from, date_to, and created_at parameters are properly sanitized to disallow special characters. Additionally, the output location of these parameters should be sanitized to prevent script execution.