Multiple cross-site scripting (XSS) vulnerabilities in The Address Book 1.04e allow remote attackers to inject arbitrary web script or HTML via Javascript events in the (1) email, (2) websites, and (3) groupAddName parameters in (a) save.php; the (4) errorMsg parameter in (b) index.php; and the (5) goTo and (6) search parameters in (c) search.php.
The Address Book 1.04e is vulnerable to multiple cross-site scripting (XSS) attacks, allowing attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, data theft, and website defacement, potentially compromising sensitive user information and the integrity of the application. Exploitation is straightforward, requiring only crafted URLs to inject malicious JavaScript into vulnerable parameters.
Step 1: Payload Preparation: The attacker crafts a malicious URL containing a JavaScript payload within one of the vulnerable parameters (e.g., email, websites, groupAddName, errorMsg, goTo, or search). The payload is designed to execute arbitrary JavaScript code when the parameter is rendered in the victim's browser.
Step 2: Payload Delivery: The attacker distributes the malicious URL through various means, such as phishing emails, social engineering, or by embedding it on a compromised website. The URL is designed to target the vulnerable application.
Step 3: Victim Interaction: A legitimate user clicks on the malicious URL or visits a page containing the URL. The user's browser sends a request to the vulnerable The Address Book application with the attacker's crafted payload.
Step 4: Server-Side Processing: The application processes the request, including the attacker's injected JavaScript code. Due to the lack of input validation and output encoding, the application stores the malicious code in its database or displays it directly in the response.
Step 5: Browser Rendering: The application sends the response back to the victim's browser. The browser renders the HTML, including the attacker's injected JavaScript code. The browser interprets the injected code as part of the HTML structure.
Step 6: Payload Execution: The victim's browser executes the JavaScript payload. This allows the attacker to perform various malicious actions, such as stealing the user's session cookies, redirecting the user to a phishing site, or defacing the website.
The root cause of the vulnerability lies in the lack of proper input validation and output encoding within The Address Book 1.04e. Specifically, the application fails to sanitize user-supplied data before displaying it in various contexts, including email addresses, website URLs, group names, error messages, search terms, and navigation parameters. This allows attackers to inject arbitrary HTML and JavaScript code into these parameters. When a user views a page containing the injected code, the browser executes the malicious script, leading to the XSS vulnerability. The absence of output encoding (e.g., HTML entity encoding) is the primary flaw, as it allows the browser to interpret the injected code as part of the HTML structure.