pojoin h3blog Cross-Site Scripting Vulnerability via X-Forwarded-For Header

A cross-site scripting (XSS) vulnerability has been identified in pojoin h3blog versions up to 5bf704425ebc11f4c24da51f32f36bb17ae20489. The issue arises in the 'ppt_log' function within the '/login' file, part of the HTTP Header Handler component. The vulnerability is triggered by manipulating the 'X-Forwarded-For' header, allowing remote attackers to inject JavaScript code that executes when an administrator reviews the operation logs, potentially leading to the theft of sensitive information such as cookies.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the logs, such as an administrator.

Reproduction

To reproduce this vulnerability, send a login request to the '/login' endpoint with a forged 'X-Forwarded-For' header containing JavaScript code, such as a script tag with an alert. This can be done using a tool like Burp Suite or by manually crafting the request. Once the request is sent, the injected script will execute when the operation logs are viewed by an administrator.