CVE-2017-6537
📋 TL;DR
This is a stored Cross-Site Scripting (XSS) vulnerability in webpagetest 3.0 that allows attackers to inject malicious scripts via the bgcolor parameter in video/view.php. When exploited, these scripts execute in victims' browsers, potentially stealing session cookies or performing actions on their behalf. Anyone running webpagetest 3.0 with the vulnerable video/view.php endpoint accessible is affected.
💻 Affected Systems
- webpagetest
📦 What is this software?
Webpagetest by Webpagetest Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over webpagetest administration, modify test results, or use the server as a platform for phishing attacks against users.
Likely Case
Session hijacking of regular users, credential theft, or defacement of webpagetest interface pages.
If Mitigated
Limited impact with proper input validation and output encoding; scripts would be blocked or sanitized before execution.
🎯 Exploit Status
The exploit requires no authentication and involves simple HTTP parameter manipulation. Public proof-of-concept code exists showing how to inject scripts via the bgcolor parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.0 (specifically fixed in later commits)
Vendor Advisory: https://github.com/WPO-Foundation/webpagetest/issues/837
Restart Required: No
Instructions:
1. Update to the latest webpagetest version from the official repository. 2. Apply the specific commit that fixes the XSS vulnerability in video/view.php. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize the bgcolor parameter before processing
Modify webpagetest-master/www/video/view.php to validate/sanitize the bgcolor parameter using htmlspecialchars() or similar functions
WAF Rule
allImplement a web application firewall rule to block malicious bgcolor parameter values
Add WAF rule to block requests containing script tags or JavaScript in bgcolor parameter
🧯 If You Can't Patch
- Disable or restrict access to the video/view.php endpoint using web server configuration
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Test by accessing video/view.php with a malicious bgcolor parameter like: ?bgcolor=red" onload="alert('XSS')Check Version:
Check webpagetest version in configuration files or by examining the source code version markersVerify Fix Applied:
After patching, test the same payload; it should not execute JavaScript and should be properly encoded in output📡 Detection & Monitoring
Log Indicators:
- HTTP requests to video/view.php with suspicious bgcolor parameters containing script tags or JavaScript
Network Indicators:
- Unusual POST/GET requests to video/view.php with encoded payloads in parameters
SIEM Query:
source="web_server" AND uri="/video/view.php" AND (param="bgcolor" AND value MATCHES "(?i)(script|alert|javascript|onload|onerror)")