Summary
A reflected XSS vulnerability was identified in the FacebookBridge. When the Facebook captcha challenge page is triggered and rendered, the $_SERVER['QUERY_STRING'] is inserted directly into the HTML action attribute of a <form> element without proper HTML attribute-context escaping.
This allows an attacker to control the query string, break out of the action attribute, and inject malicious HTML event handlers or scripts.
Vulnerable Code
Location: bridges/FacebookBridge.php#L494-L505
The vulnerable code pattern is located in the captcha rendering block:
$message = <<<EOD
<form method="post" action="?{$_SERVER['QUERY_STRING']}">
<h2>Facebook captcha challenge</h2>
<p>Unfortunately, rss-bridge cannot fetch the requested page.<br />
Facebook wants rss-bridge to resolve the following captcha:</p>
<p><img src="data:image/png;base64,{$img}" /></p>
<p><b>Response:</b> <input name="captcha_response" placeholder="please fill in" />
<input type="submit" value="Submit!" /></p>
</form>
EOD;
die($message);Proof of Concept
An attacker can craft a query string containing a raw double quote character (") to terminate the action attribute early and inject a new event handler attribute (e.g., onmouseover).
Example Payload:
/?action=display&bridge=Facebook&context=User&u=test"onmouseover="alert(1)"x="
If this crafted request reaches the captcha rendering path, the generated HTML will be rendered as follows, executing the JavaScript when interacted with:
<form method="post" action="?action=display&bridge=Facebook&context=User&u=test"onmouseover="alert(1)"
Suggested Remediation
To prevent this XSS vulnerability, the query string must be properly sanitized/escaped before being embedded into the HTML attribute. It is recommended to wrap $_SERVER['QUERY_STRING'] with htmlspecialchars() or htmlentities() using the ENT_QUOTES flag.
Example Fix:
$safe_query_string = htmlspecialchars($_SERVER['QUERY_STRING'], ENT_QUOTES, 'UTF-8');
$message = <<<EOD
<form method="post" action="?{$safe_query_string}">
...
Summary
A reflected XSS vulnerability was identified in the FacebookBridge. When the Facebook captcha challenge page is triggered and rendered, the
$_SERVER['QUERY_STRING']is inserted directly into the HTML action attribute of a<form>element without proper HTML attribute-context escaping.This allows an attacker to control the query string, break out of the action attribute, and inject malicious HTML event handlers or scripts.
Vulnerable Code
Location: bridges/FacebookBridge.php#L494-L505
The vulnerable code pattern is located in the captcha rendering block:
Proof of Concept
An attacker can craft a query string containing a raw double quote character (") to terminate the action attribute early and inject a new event handler attribute (e.g.,
onmouseover).Example Payload:
If this crafted request reaches the captcha rendering path, the generated HTML will be rendered as follows, executing the JavaScript when interacted with:
Suggested Remediation
To prevent this XSS vulnerability, the query string must be properly sanitized/escaped before being embedded into the HTML attribute. It is recommended to wrap
$_SERVER['QUERY_STRING']withhtmlspecialchars()orhtmlentities()using theENT_QUOTESflag.Example Fix: