It will help you improve your skills and understand how to start this journey!
On 2020 I needed to switch my internet provider at my house, so I did as many Italian with the OpenFiber company.
I am writing this article after the success of https://daniele.tech/2024/03/how-i-hacked-a-course-platform-built-with-wordpress/ as this one wasn’t never disclosed “publicly”.
At the end of the day this task was to try the various providers websites to find the best one and to check if your address was covered by their services.
So all those websites have a page where you put your address, city etc and they will check somewhere if you can use the OpenFiber service.
I was curious about the new Italians one, maybe they could provide a better service compared to the giants…
In this case Fibra.city showed some red flags in their website.
So lets see the issue that is still there since 4 years, my various emails (to 5 different emails contacts) and my Facebook messages (and OpenBugBounty case)!
The XSS
I published it on OpenBugBounty that confirmed the issue and is still marked as unpatched years ago.
- Go on https://fibra.city/copertura.php (the fact that the server side language was exposed showed to me that probably not so many things were good, as today this is happening more less)
- Write a city like “Rome”
- You will get a redirect to another page that has the issue
- You will get an URL like https://fibra.city/vercop2.php?id_comune=57059&comune=Rieti&id_provincia=57&id_provincia=57
- The issue is on the
comune
parameter - Doesn’t have any sanification and that content it is printed in the page
- The problem is that is printed also in a JS code in the page
- It is enough to write something and the code is executed
- The issue is on the
Let’s see the code in this HTML page:
<script> function showResult(str) { var valore = str; valore = valore.trim(); if (valore.length<=1) { document.getElementById("loading").innerHTML=""; document.getElementById("livesearch").innerHTML=""; document.getElementById("livesearch").style.border="0px"; return; } if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else { // code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("loading").innerHTML=""; document.getElementById("livesearch").innerHTML=xmlhttp.responseText; document.getElementById("livesearch").style.border="1px solid #A5ACB2"; } } document.getElementById("loading").innerHTML="<img src='/img/verifica_indirizzo.gif' />"; xmlhttp.open("GET","vercop_ricerca.php?id_comune=57059&comune=Rieti&cd=&anche_aeb=&str_indirizzo="+str,true); xmlhttp.send(); } </script>
You can see at the bottom that the parameter is written right there.
So with a crafted URL, like this: https://fibra.city/vercop2.php?id_comune=57059&comune=R’);alert(1)//
And writing something in the input field, will get your JavaScript injected executed.
Let’s see how works:
- In the page probably there is just a print of the content of the URL parameter
comune
- We need to write something there
- Close the JS string with an
'
- Add a closing
;
- Add the JS code we want
- Finish with the
//
that is a JS comment so the rest of the line is ignored
- Close the JS string with an
This JS function is executed everytime the user write something in the search input bar.
Conclusion
From http://1200373.openbounty.org/mirror/ it is possible to see a mirror of that page, but time of writing the issue is still there.
There are 2 easy fixes:
- There is already the
id_comune
so it isn’t difficult to ask to a database for the text to print and remove it, the best solution - Another solution is to sanitize that parameter in PHP to remove the content that shouldn’t be there, the issue is that `’` can be used as apostrophe in Italian city names
The lesson?
Don’t put a string that the user can manipulate for whatever they want, and don’t thrust it.
At the end this XSS is not very critical as the customer portal is in another domain, it is difficult that a user get this link and write something there to be able to extrapolate something in another subdomain (depends on how the cookie are configured anyway).
NOTE
EDIT: This provider on the fibra.click forum is disallowed for support request, seems that is very bad for various reasons…