0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

FlightAirMap Reflected XSS

The Issue

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

The FlightAirMap registration-sub-menu file overly trusts user-controlled input. This lack of sufficient sanitisation allows an attacker to execute JavaScript code in the context of a victim’s browser.

Where the Issue Occurred

The code below displays the GET variable without sufficient sanitisation (found on line 18 FlightAirMap/registration-sub-menu.php#18):

<li><a href="<?php print $globalURL; ?>/registration/<?php print $_GET['registration']; ?>" <?php if (strtolower($current_page) == "registration-detailed"){print 'class="active"'; } ?>><?php echo _("Detailed"); ?></a></li>

Disclosure Timeline

  • Issue Reported: 19th July 2018
  • Issue Resolved: 20th July 2018
  • Blog Post Published: 8th August 2018
  • Applied for CVE: 8th August 2018