Diskover Community Reflected Cross-Site Scripting Vulnerability in selectindices.php

A reflected cross-site scripting vulnerability has been identified in Diskover Community versions through 2.3.5. The issue resides in the public/selectindices.php file, where the namecontains GET parameter is echoed without proper sanitization. This unsanitized input is injected into both an HTML href attribute and a JavaScript window.location.href string, creating two separate contexts for potential exploitation.

Impact

Exploitation of this vulnerability allows for the theft of session cookies, including the PHPSESSID cookie, leading to full account takeover. This impact extends to all authenticated users, including administrators.

Reproduction

To reproduce this vulnerability, first ensure that a valid Elasticsearch index exists. Then, visit the selectindices.php page with a crafted URL that includes the namecontains parameter. The injected JavaScript will execute immediately, demonstrating the cross-site scripting vulnerability. For a real-world exploitation scenario, the same crafted URL can be used to silently exfiltrate cookies to an attacker-controlled server.

Remediation

To address this vulnerability, sanitize the namecontains parameter before injecting it into the JavaScript or HTML context. For the JavaScript context, use json_encode to safely encode the parameter. For the HTML context, apply htmlspecialchars to escape the parameter properly.