CVE-2024-41348
📋 TL;DR
CVE-2024-41348 is a Cross-Site Scripting (XSS) vulnerability in openflights' php/alsearch.php file that allows attackers to inject malicious scripts into web pages viewed by other users. This affects any openflights deployment using the vulnerable commit. Users visiting the compromised page could have their sessions hijacked or be redirected to malicious sites.
💻 Affected Systems
- openflights
📦 What is this software?
Openflights by Jpatokal
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal user session cookies, perform actions as authenticated users, redirect to phishing sites, or install malware via drive-by downloads.
Likely Case
Session hijacking leading to unauthorized access to user accounts and potential data theft.
If Mitigated
Minimal impact with proper Content Security Policy (CSP) headers and input validation in place.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited and weaponization is straightforward given the public PoC in GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commits d815df727a94fe98d3299873f0efddf6a81a56a3 and e7f5d8112d5353cc1ceb6ae92aa5ff2f3c2e35a6
Vendor Advisory: https://github.com/jpatokal/openflights/commit/d815df727a94fe98d3299873f0efddf6a81a56a3
Restart Required: No
Instructions:
1. Pull latest openflights repository. 2. Apply commits d815df7 and e7f5d81. 3. Replace php/alsearch.php with patched version. 4. No restart needed for PHP applications.
🔧 Temporary Workarounds
Input Sanitization Filter
allAdd input validation to sanitize user input in php/alsearch.php
Modify php/alsearch.php to use htmlspecialchars() or filter_input() on all user-controlled parameters
Content Security Policy
allImplement CSP headers to restrict script execution
Add header("Content-Security-Policy: default-src 'self'") to PHP files
🧯 If You Can't Patch
- Disable or remove php/alsearch.php if not required
- Implement WAF rules to block XSS payloads targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if php/alsearch.php exists and contains unescaped user input in output. Test with payload: <script>alert('XSS')</script> in search parameters.Check Version:
git log --oneline | grep -E "d815df7|e7f5d81"Verify Fix Applied:
Verify commits d815df7 and e7f5d81 are applied. Test XSS payloads no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual GET/POST requests to php/alsearch.php with script tags or JavaScript code in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing <script>, javascript:, or encoded XSS payloads to the search endpoint
SIEM Query:
source="web_logs" AND uri_path="/php/alsearch.php" AND (query="*<script>*" OR query="*javascript:*")