Описание
XSS within PHP-FPM status endpoint
Improper sanitization of the request URI within the PHP-FPM status page allows an attacker to execute arbitrary JavaScript code (XSS) on the victims machine, possibly stealing cookies on insufficiently hardened systems, or stealing other sensitive data such as the information from the status page itself. An attacker does not require authentication or access to the /status endpoint in order to trigger XSS, but may simply visit a URI embedding the malicious code.
- Navigate to
example.com/<script>alert()</script> - Navigate to
example.com/status?full&html - Observe the JavaScript pop-up.
The same is possible for the XML endpoint, possibly embedding malicious XML nodes into the status report.
- Navigate to
example.com/< - Navigate to
example.com/status?full&xml - Observe the XML parsing error.
Пакеты
PHP-FPM
< 8.2.31
8.2.31
PHP-FPM
< 8.3.31
8.3.31
PHP-FPM
< 8.4.21
8.4.21
PHP-FPM
< 8.5.6
8.5.6
Связанные уязвимости
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before ...