Project

General

Profile

Actions

Bug #16934

closed

Potential XSS in nmap scan output

Added by Jim Pingle 9 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Nmap
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

When performing a scan using nmap_scan.php, the output of the scan is printed to the user without encoding, leading to a potential XSS if a scan is run with the -sV parameter to identify service versions.

When nmap scans a host with the -sV parameter active, it attempts to determine the version of the daemon it detected after finding an open port. If nmap does not recognize the service, it prints the text returned by the scanned service.

If this text returned by the target daemon contains an XSS payload, the page will print it back to the user. For example:

</textarea><svg/onload=alert`XSS`>

Reported by: @lujiefsi

Actions

Also available in: Atom PDF