yi-ge Get-Header-IP Cross-Site Scripting Vulnerability in Callback Handling
Vulnerability
A cross-site scripting vulnerability has been identified in yi-ge Get-Header-IP versions prior to the commit 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15. The issue arises in the 'ip' function of 'ip.php', where user input in the 'callback' parameter is not properly sanitized before being output. This flaw allows for the injection of malicious scripts, which could be executed in the context of the user's browser. The vulnerability can be exploited remotely, but requires user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, send a request to the 'ip.php' file with a 'callback' parameter. The server will respond with the IP address wrapped in the specified callback, which can be used to execute arbitrary JavaScript in the user's browser.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.