Asian Arts Talents Foundation Website and Docker Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Asian Arts Talents Foundation (AATF) Website version 5.1.x and the Docker image aatf/aatf.us, specifically in the /ip.php endpoint. This vulnerability arises because the endpoint processes the X-Forwarded-For HTTP header without adequate sanitization or output encoding. As a result, an attacker can inject malicious JavaScript that executes in the browsers of visitors.

Impact

Exploitation of this vulnerability allows for arbitrary execution of JavaScript in the context of the user's browser, potentially leading to the theft of session cookies or authentication tokens, injection of malicious scripts such as keyloggers or phishing payloads, account hijacking, and damage to user trust and brand reputation.

Reproduction

To reproduce this vulnerability, send a request to the /ip.php endpoint with an injected script in the X-Forwarded-For header. This can be done using a cURL command or by intercepting the request with Burp Suite to modify the header before it reaches the server. Once the payload is injected, the script will execute in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, sanitize all dynamic output by using functions that convert special characters to HTML entities, such as htmlspecialchars, before displaying header values. Additionally, consider implementing security headers like Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options, enforcing HTTPS, and monitoring header values for anomalies.