PiHome Cross-Site Scripting Vulnerability in index.php

A cross-site scripting (XSS) vulnerability has been identified in PiHome version 1.77. The issue arises in the file index.php, where user input is not properly sanitized before being outputted, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely by injecting a script payload into the URL, which could then be executed in the context of the user's browser, potentially leading to cookie theft if the appropriate cookie flags are not set.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload the application to a web server and navigate to the index.php file. Inject a script payload by appending it to the URL, such as 'index.php/p6eum'><script>alert(1)</script>'. This will trigger an alert box, demonstrating the successful execution of the injected script.