aerouk imageserve cross site scripting

Vulnerability

The aerouk imageserve application, up to but not including the commit 2ac3cd4 [2], suffers from a reflected cross-site scripting (XSS) vulnerability. The bug resides in the twitter:url meta tag within the HTML templates, where the $_SERVER['REQUEST_URI'] value is echoed directly without sanitization. An attacker can inject arbitrary JavaScript by crafting a malicious URL containing an XSS payload in the request URI. The application does not require any special configuration for the vulnerable code path to be reachable [1][2].

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted HTTP request to the server. The attack has high complexity, meaning the exploitation is difficult [description]. The crafted URL includes a payload in the REQUEST_URI (e.g., ?x=">). The server reflects this payload into the page's meta tags, which is then executed by the browser when the page is accessed. User interaction is not strictly required beyond accessing the crafted URL; however, the attacker must convince the target to visit the malicious link [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session against the imageserve application. This could lead to information disclosure (e.g., session cookies, page content), UI manipulation, or phishing attacks – the typical impacts of reflected XSS. The attacker does not gain control of the server itself, but compromises the security of the user's interaction with the application [1].

Mitigation

The vulnerability was fixed in commit 2ac3cd4f90b4df66874fab171376ca26868604c4 [2]. The fix wraps the $_SERVER['REQUEST_URI'] value with htmlspecialchars() to sanitize output. The official advisory recommends applying this patch [description]. The repository has been archived and is read-only as of January 2024, so no further updates are expected. No workarounds are documented in the available references [1][2].