Decoded: Small Business Cybersecurity News & Insights

Stored Cross-Site Scripting (XSS) Vulnerability in tltneon/lgsl

Published Date: December 27, 2024

Package Affected Versions Patched Versions Severity
📦 tltneon/lgsl (Composer) < 7.0.0 7.0.0 High

Description

Summary


A Stored Cross-Site Scripting (XSS) vulnerability exists in the lgsl package due to improper sanitation of user input. This flaw allows attackers to inject malicious JavaScript code, which executes when users access specific pages.



Details


The issue stems from the lgsl_query_40 function in lgsl_protocol.php. This function uses an HTTP crawler to fetch data from a registered game server. If the server responds with a malicious payload on the /info endpoint, the JavaScript executes when displayed on the lgsl_details.php page.

Vulnerable Code Snippet:



// Vulnerable code example

foreach ($server['details'] as $key => $value) {

// Attempting to convert URLs into clickable links
$value = preg_replace(
'/((https?:\/\/|www\.)[\w\d\.\-\/=?&]+)/i',
"<a href='$1' target='_blank'>$1</a>",
html_entity_decode($value)
);

// Outputting unsanitized data directly into HTML

echo "<tr><td>{$key}</td><td>{$value}</td></tr>";

}


Explanation of the Issue:



  1. The code attempts to convert URLs in user data into clickable links.

  2. html_entity_decode decodes HTML entities, which could reintroduce malicious JavaScript.

  3. $value is inserted directly into the table row without proper escaping, enabling XSS injection.


Proof of Concept (PoC)



  1. A malicious user submits the following payload as part of the server’s response:



{
"ServerName": "<script>alert('XSS')</script>"
}



  1. When the page renders, the malicious JavaScript executes, causing an alert box to appear.

Patches & Workarounds

Fix Recommendation


Update to version 7.0.0 or later, where this issue is patched.

If upgrading is not immediately possible:

  • Ensure all user-provided data is properly sanitized and escaped before rendering.

  • Use htmlspecialchars instead of html_entity_decode.

  • Avoid direct rendering of untrusted content.


Secure Fixed Example


To prevent XSS, we must sanitize user input properly and avoid rendering raw data directly into HTML.






// Secure Code Example

foreach ($server['details'] as $key => $value) {

// Ensure special characters are escaped

$safeValue = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');

// Optional: Match URLs and render them safely as clickable links

$safeValue = preg_replace(
'/((https?:\/\/|www\.)[\w\d\.\-\/=?&]+)/i',
'<a href="$1" target="_blank">' . htmlspecialchars('$1', ENT_QUOTES, 'UTF-8') . '</a>',
$safeValue
);

// Safely render the sanitized data

echo "<tr><td>" . htmlspecialchars($key, ENT_QUOTES, 'UTF-8') . "</td><td>{$safeValue}</td></tr>";

}





Changes Made in the Fix:



  1. Escaped User Input: Used htmlspecialchars to prevent HTML and JavaScript execution.

  2. Escaped URLs Properly: Ensured even URL links are sanitized before rendering.

  3. Double Sanitization Check: Both $key and $value are individually escaped before being inserted into HTML.





Best Practices Moving Forward:



  1. Always sanitize user input using htmlspecialchars or a similar method.

  2. Avoid using html_entity_decode on user-provided data.

  3. Validate input on both the client and server sides.

  4. Use strict Content Security Policies (CSP) to minimize XSS risks.

Share this:

  • Cybersecurity Risks of U.S. Trade Tariffs: Impact on Supply Chains in Canada, Mexico & the EU

    In early 2025, the U.S. government announced new tariffs aimed at Canada, Mexico, and potentially the European Union. While the tariffs on Canada and Mexico are temporarily on hold, businesses are already adjusting supply chains to prepare for the financial impact. Trade policies like these cause ripple effects across industries, and cybersecurity often takes a…

  • Dark Web & Small Businesses: How Hackers Sell Your Data

    Many small business owners assume that cyberattacks only target large corporations. They imagine hackers as shadowy figures breaching high-security networks of multinational companies. The reality is much bleaker: small businesses are prime targets because they often lack strong cybersecurity defenses. Worse, once stolen, their data often ends up for sale on the dark web.

  • Top 10 Viruses and Malware Wreaking Havoc in January 2025

    Learn how to identify and defend against the latest cybersecurity threats like Banshee, Clop Ransomware, and AI-powered attacks. Stay one step ahead of hackers with this detailed guide.

  • Should You Invest in DIY AI Assistants?

    With AI technologies advancing rapidly, there’s growing interest in building personal assistants at home. Today, big names like Alexa and Google Home dominate the market, but their capabilities remain limited by their current integrations. Meanwhile, ChatGPT and Google’s Gemini have revolutionized conversational AI, although they lack standalone devices or wake-word functionality. These limitations won’t last…

  • How Spilled Coffee Saved a Company

    Small businesses face countless threats—phishing attacks, ransomware, budget constraints, and, occasionally, over-caffeinated interns. This is the story of Taxify Associates, a mid-sized accounting firm that narrowly avoided financial ruin thanks to a spilled cup of coffee, a frayed carpet, and one overworked IT manager.

  • How Cybercriminals Bypass Apple iMessage Security Protections

    Cybercriminals have found a simple yet effective way to bypass Apple’s phishing protections built into iMessage. This exploit enables them to trick users into activating dangerous phishing links. As mobile devices dominate how people pay bills, shop, and communicate, phishing attacks (a form of fraudulent message-based scamming) are becoming more popular among bad actors.