CVE-2018-15678

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in BTITeam XBTIT version 2.5.4. The act parameter in the sign-up page, accessible at /index.php?page=signup, is not properly sanitized, allowing injection of arbitrary HTML and JavaScript into the response. The application includes an anti-XSS filter in includes/crk_protection.php that blocks strings like .cookie, but the filter can be bypassed using String.replace with eval to reconstruct blocked strings [1].

Exploitation

An attacker can exploit the vulnerability by crafting a malicious URL containing XSS payload in the act parameter. The attacker does not need authentication; the victim need only visit the crafted URL. The payload can bypass the built-in filter by using JavaScript techniques such as splitting dangerous strings with a harmless character and then reconstructing them using replace and eval, as demonstrated with eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g, '').slice(1,-1)) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This enables actions such as stealing session cookies, defacing pages, or performing actions on behalf of the victim without their consent. Since the vulnerability is reflected, it is typically used in social engineering attacks (e.g., phishing) to lure users to the crafted link [1].

Mitigation

No official patch has been released as of the publication date (2018-09-05). The vendor has not addressed the issue in the available references. Users are advised to upgrade to a later, patched version if available, or to apply input validation and output encoding to the act parameter manually. Until a fix is deployed, administrators can consider using a web application firewall (WAF) to block malicious payloads targeting the sign-up page [1].