This topic is locked

Acunetix XSS Report - XSS

3/24/2019 8:55:59 PM
PHPRunner General questions
P
pinoyoutdoor author

Hello everyone, we have our security audit this year for all our deployed projects.

Unfortunately two XSS vulnerability from audit team using Acunetix scanning tool.

We will not be cleared if we can't fix this issue. All PHPRunner are affected...
Need your help...
Excerpt summary below...



Cross site scripting

Severity High

Reported by module Scripting (XSS.script)
/myweb/remind.php

Details

URL encoded POST input username_email was set to woavsybh'"()&%<acx><script >qsiK(9754)</ScRiPt>
/myweb/login.php

Details

URI was set to "onmouseover='IHPb(9314)'bad="

The input is reflected inside a tag parameter between double quotes.
/myweb/remind.php

Details

URI was set to "onmouseover='7Rju(9995)'bad="

The input is reflected inside a tag parameter between double quotes.
in browser test

https://10.0.0.1/myweb/login.php?id="onmouseover='IHPb(9314)'bad=";
view browser source(bunch of line added in the html code, sample below)

<form method="post" action='login.php' id="form"onmouseover='IHPb(9314)'bad="" name="form"onmouseover='IHPb(9314)'bad="">