Yahei-PHP Prober v0.4.7 (speed) Remote HTML Injection Vulnerability

Title: Yahei-PHP Prober v0.4.7 (speed) Remote HTML Injection Vulnerability
Advisory ID: ZSL-2019-5531
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 24.07.2019
Summary
Detection of system web server operating environment.
Description
Input passed to the GET parameter 'speed' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.

--------------------------------------------------------------------------------

/prober.php:
--------------
206: elseif(isset($_GET['speed']) and $_GET['speed']>0)
207: {
208: $speed=round(100/($_GET['speed']/1000),2); //下载速度: $speed kb/s
209: }
...
...
1393: <?php echo (isset($_GET['speed']))?"Download 1000KB Used <font color='#cc0000'>".$_GET['speed']."</font> Millisecond, Download Speed: "."<font color='#cc0000'>".$speed."</font>"." kb/s":"<font color='#cc0000'>&nbsp;No Test&nbsp;</font>" ?>

--------------------------------------------------------------------------------

Vendor
Yahei.Net - http://www.yahei.net
Affected Version
0.4.7
Tested On
OneinStack (Linux 3.10.0-862.14.4.el7.x86_64)
nginx/1.14.0
PHP/7.2.11
Vendor Status
N/A
PoC
php_probe_htmli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/153756
[2] https://cxsecurity.com/issue/WLB-2019070132
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/164412
Changelog
[24.07.2019] - Initial release
[02.08.2019] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk