dayrui XunRuiCMS JSONP Callback Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in dayrui XunRuiCMS versions through 4.7.1. The issue arises in the JSONP callback handling within the dr_show_error and dr_exit_msg functions of the /dayrui/Fcms/Init.php file. The vulnerability allows remote attackers to inject arbitrary JavaScript into the response by manipulating the 'callback' parameter, which is echoed back without proper sanitization. This exploitation can lead to session hijacking, credential theft, and other malicious actions.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could be used to steal cookies, hijack sessions, capture credentials through fake login forms, redirect users to malicious sites, deface pages, inject keyloggers, or conduct phishing attacks within the trusted domain.

Reproduction

To reproduce this vulnerability, send a request to the vulnerable endpoint with a crafted 'callback' parameter that includes JavaScript code, such as an alert function. The server will respond by executing the injected script in the browser.

Remediation

It is recommended to validate the 'callback' parameter using a whitelist approach, ensuring that only safe, expected values are accepted.