Full Report
A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hundreds of websites with the goal of manipulating search results and fueling a spam ads campaign at scale. Security researcher Oleg Zaytsev, in a report shared with The Hacker News, said the campaign – dubbed 360XSS – affected over 350 websites,
Analysis Summary
# Vulnerability: Reflected XSS in Krpano Framework leading to SEO Poisoning
## CVE Details
- CVE ID: CVE-2020-24901
- CVSS Score: 6.1 (Medium)
- CWE: Missing authorization/Improper Input Validation (Implied XSS)
## Affected Systems
- Products: Krpano Virtual Tour Framework
- Versions: Versions predating 1.20.10. Specifically vulnerable versions are those where `passQueryParameters` is enabled and the XML parameter is explicitly allowed or processed in a manner that allows external configuration via URL.
- Configurations: Vulnerability is triggered when embedding Krpano with the `passQueryParameters` option enabled and using an XML parameter passed via the URL to load external configuration.
## Vulnerability Description
The vulnerability is a **Reflected Cross-Site Scripting (XSS)** flaw within the Krpano framework when embedding a panorama viewer into an HTML page. This issue stems from the `passQueryParameters` embedding parameter being enabled, which allows HTTP parameters from the URL to be passed directly to the viewer. An attacker can exploit this by crafting a malicious URL containing an XML parameter that forces the viewer to load an external XML configuration file, which in turn executes a Base64-encoded malicious script in the context of the trusted, legitimate domain hosting the virtual tour. This abuse has been observed being used in an "industrial-scale" SEO poisoning campaign (dubbed 360XSS).
## Exploitation
- Status: Exploited in the wild (Observed in a campaign affecting over 350 websites).
- Complexity: Medium (Requires crafting a specific URL injection payload).
- Attack Vector: Network (Requires a user to click a maliciously crafted URL).
## Impact
- Confidentiality: Potential impact if scripts execute data exfiltration, though primary impact observed was redirect/ad serving.
- Integrity: High (Scripts executed in the context of the legitimate site, potentially defacing or modifying content seen by the user).
- Availability: Low (Indirect impact through reputational damage/site load).
## Remediation
### Patches
- **Krpano Version 1.22.4+:** This release (and subsequent versions) eliminates support for external configuration via the URL parameter in `passQueryParameters`. It now restricts URLs for the XML parameter to be within the current folder structure and generally disallows data URLs and external URLs as parameter values.
- **Krpano Version 1.20.10:** This version introduced restrictions to `passQueryParameters`, but subsequent configuration changes could reintroduce risk. Users should prioritize updating beyond this version.
### Workarounds
1. **Disable Parameter Passing:** Set the `passQueryParameters` embedding setting to `false` if using older versions of Krpano or if immediate patching is not possible.
2. **Configuration Auditing:** Review existing Krpano embed configurations to ensure that external XML parameters loaded via the URL are not permitted, especially if running version 1.20.10 or later but pre-1.22.4.
## Detection
- **Indicators of Compromise (IoCs):** URLs containing Krpano XML parameters injected into search engine results, redirecting users to unsolicited content (pornography, spam, online casinos) via legitimate trusted domains.
- **Detection Methods and Tools:** Use Google Search Console to monitor for unexpected or malicious indexed pages. Web Application Firewalls (WAFs) should be configured to inspect incoming URLs for suspicious query parameters interacting with embedded scripts or known vulnerability patterns related to `passQueryParameters`.
## References
- [Related Researcher Report](https://olegzay.com/360xss/)
- [Krpano Embedding Documentation](https://krpano.com/docu/embedpano/#embeddingparameters)
- [Krpano Release Notes v1.22.4](https://krpano.com/docu/releasenotes/?version=122#top)