Improper sanitization of the request URI within the PHP-FPM status page allows an attacker to execute arbitrary JavaScript code (XSS) on the victims machine, possibly stealing cookies on insufficiently hardened systems, or stealing other sensitive data such as the information from the status page itself. An attacker does not require authentication or access to the /status endpoint in order to trigger XSS, but may simply visit a URI embedding the malicious code.
- Navigate to
example.com/<script>alert()</script>
- Navigate to
example.com/status?full&html
- Observe the JavaScript pop-up.
The same is possible for the XML endpoint, possibly embedding malicious XML nodes into the status report.
- Navigate to
example.com/<
- Navigate to
example.com/status?full&xml
- Observe the XML parsing error.
Improper sanitization of the request URI within the PHP-FPM status page allows an attacker to execute arbitrary JavaScript code (XSS) on the victims machine, possibly stealing cookies on insufficiently hardened systems, or stealing other sensitive data such as the information from the status page itself. An attacker does not require authentication or access to the
/statusendpoint in order to trigger XSS, but may simply visit a URI embedding the malicious code.example.com/<script>alert()</script>example.com/status?full&htmlThe same is possible for the XML endpoint, possibly embedding malicious XML nodes into the status report.
example.com/<example.com/status?full&xml