A recent cross-site scripting (XSS) vulnerability in the Krpano framework has led to a significant ad injection campaign affecting over 350 websites. Security researcher Oleg Zaytsev highlighted this issue, referring to the operation as 360XSS, which exploited Krpano’s ability to embed interactive virtual tours and VR content. This campaign involved various high-profile sites, including government portals and Fortune 500 companies.

Zaytsev discovered the vulnerability after encountering a pornography-related advertisement linked to Yale University while searching on Google. The malicious actors crafted URLs with XML parameters that redirected users to execute a Base64-encoded script. This script then fetched the actual ad from another legitimate site, effectively hijacking the trust of these domains to promote illicit content including adult ads, diet supplements, and fake news.

The flaw stems from the "passQueryParameters" setting within Krpano, which, despite a previous update aimed at restricting XSS vulnerabilities, still allowed for exploitation when incorrectly configured. Zaytsev noted that older versions of Krpano, specifically those released before version 1.20.10, remained particularly at risk.

With the attackers utilizing search engines as a distribution method for their XSS payloads, the strategy exemplifies a creative yet concerning use of SEO manipulation tactics. Such exploitation not only redirects search traffic but also throws into sharp relief the ongoing challenges in web security practices.

Following Zaytsev’s responsible disclosure, the latest version of Krpano (1.22.4) has addressed the vulnerability by disallowing external configuration via the XML parameter altogether. Website administrators using Krpano are urged to promptly update to this version and ensure proper settings to avert such exploits in the future.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.