Diskover Community Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Diskover Community versions through 2.3.5. The issue resides in the 'public/view.php' file, where the 'doctype' parameter is echoed into HTML href attributes without proper sanitization. This vulnerability allows attackers to execute arbitrary JavaScript in the context of the user's browser.

Impact

Exploitation of this vulnerability leads to full session hijacking by stealing the 'PHPSESSID' cookie, which is critical for maintaining an active session. This impact is confirmed to affect all authenticated users, including administrators.

Reproduction

To reproduce this vulnerability, log in with valid credentials and select a valid Elasticsearch index. Then, visit the 'view.php' page with a crafted URL that includes a script tag in the 'doctype' parameter. The injected script will execute and, if it includes a command to alert cookies, the session cookies will be displayed in an alert box, confirming the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, sanitize the 'doctype' parameter before echoing it into the HTML. This can be done by using the 'htmlspecialchars' function to convert special characters to HTML entities, preventing the execution of injected scripts. Additionally, consider adding a Content Security Policy header to restrict the sources from which content can be loaded.