CVE-2018-15676
Description
XBTIT torrent tracker's anti-XSS mechanism can be bypassed using String.replace and eval, allowing reflected XSS attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XBTIT torrent tracker's anti-XSS mechanism can be bypassed using String.replace and eval, allowing reflected XSS attacks.
Vulnerability
An issue in BTITeam XBTIT allows bypassing the anti-XSS mechanism in includes/crk_protection.php. This module checks incoming requests for dangerous strings (e.g., .cookie), but the check can be circumvented by using String.replace to break up filtered terms and eval to execute the reconstructed payload. The vulnerability affects all versions of XBTIT prior to any patch addressing this bypass [1].
Exploitation
An attacker can craft a payload that uses String.replace to insert a placeholder (e.g., tilde) into filtered strings, then remove the placeholder and execute the result via eval. For example, the payload eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g, '').slice(1,-1)) bypasses the filter and executes alert(document.cookie). This payload can be injected into the keywords parameter of the forum search function at /index.php?page=forums&action=search. The attacker must trick an authenticated user into visiting a crafted URL [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to theft of session cookies, enabling account hijacking, or other malicious actions such as defacement or data exfiltration. The attack targets authenticated users, potentially compromising their accounts and any associated privileges [1].
Mitigation
No official patch has been released as of the publication date (2018-09-05). Users should consider disabling the forum search functionality or implementing additional input validation and output encoding to prevent XSS. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The anti-XSS filter in includes/crk_protection.php uses a blacklist of dangerous strings but does not block the eval function or the String.replace technique, allowing blocked strings to be reconstructed at runtime."
Attack vector
An attacker crafts a JavaScript payload that splits blocked strings (such as `.cookie`) by inserting a harmless delimiter (e.g. `~`) and then uses `String.replace(/~/g, '')` to remove the delimiters, reconstructing the original dangerous string. The payload is then passed to `eval()` to execute arbitrary JavaScript. Because `eval` itself is not in the filter's blocklist, the entire obfuscated payload bypasses the anti-XSS mechanism [ref_id=1]. The attacker can deliver this payload via any user-controllable input that is later evaluated or rendered unsafely, such as the `keywords` parameter in the forum search page or the `act` parameter in the signup page [ref_id=1].
Affected code
The vulnerable module is `includes/crk_protection.php`, which checks incoming requests for dangerous string signatures (e.g. `.cookie`). The researcher notes that the filter blocks basic XSS payloads containing those strings, but fails to detect the `eval` function or block the use of `String.replace` to reconstruct blocked terms at runtime [ref_id=1].
What the fix does
The advisory states that users should "update to the version that supersedes 2.5.4 or apply [the referenced] patch" [ref_id=1]. No patch diff is included in the bundle, so the exact code change is not visible. The remediation would need to either extend the filter to detect `eval` and `String.replace` usage, or—more robustly—replace the blacklist-based approach with proper output encoding and context-aware escaping to prevent XSS entirely.
Preconditions
- configThe application must use the includes/crk_protection.php anti-XSS module to filter incoming requests
- inputThe attacker must be able to supply input that is later reflected or evaluated as JavaScript (e.g. via the forum search or signup page)
Reproduction
The researcher provides the following proof-of-concept request targeting the forum search page [ref_id=1]:
``` GET /index.php?page=forum&action=search&keywords=%22%3E%3Cimg%20src=x%20onerror=%22eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g,%20%27%27).slice(1,-1))%22%3E%3C HTTP/1.1 Host: xbtit.vm ```
The payload uses `eval()` with a regex-based string that contains tildes to break up the word `document.cookie`, then calls `.replace(/~/g, '')` to remove the tildes and `.slice(1,-1)` to trim the regex delimiters, resulting in execution of `alert(document.cookie)` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.