Security Bug: Reflected XSS - Event Attendance

[0xIapetus]

If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.

On what page in the application did you find this issue?
EventAttendance.php

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux

What browser (and version) are you running?
Firefox

What version of PHP is the server running?
8.3.2

What version of SQL Server are you running?
11.2.2

What version of ChurchCRM are you running?
5.5.0

Severity: medium

Description:
An reflected XSS was found in the ChurchCRM v.5.5.0 functionality where malicious JS or HTML code can be inserted as the Type parameter of the endpoint EventAttendance.php.

The steps for the explotation are the following :
Copy paste in the browser : /EventAttendance.php?Action=List&Event=1&Type=<img src="invalid.jpg" onerror="alert('XSS')">
The steps below were used to discover the vulnerability, There is no need to perform these steps in order to exploit it. They are here to showcase the path that was followed in order to discover this vulnerability.
Step 1 : Go to the EventEditor.php and create an event with whatever attributes you want and save.
Step 2 : Click The event attendance reports button, select the Church Service option
and then observe the URL. The type parameter is vulnerable

Impact:
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
There are various means by which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include placing links on a website controlled by the attacker, or on another website that allows content to be generated, or by sending a link in an email, tweet or other message. The attack could be targeted directly against a known user, or could be an indiscriminate attack against any users of the application.

Affected Component:
/churchcrm/EventAttendance.php

Technical Details:
The vulnerability is caused by the failure of validation of user input. An attacker can insert malicious js code, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.

Proof of Concept (PoC):
<img src="invalid.jpg" onerror="alert('XSS')">

Credits :
Georgios Bitounis

Remediation:
1.Input validation: All user input should be validated to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on client-side and should be designed to detect and block any attempts to inject scripts or other malicious content.
2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.