| Titel | Sourcecodester Testimonial Page Manager 1.0 Stored Cross Site Scripting (XSS) |
|---|
| Beschreibung | ## Summary
Fields in `index.php` take input from the user and store it in a backend SQL database. This data is not sanitized for special HTML characters before being displayed.
## Issue Description
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Note: There is no authentication required to use this software. The entry point for this vulnerability is `index.php`. `index.php` takes input from the user, and creates a POST request to the `add-testimonial.php` endpoint. This endpoint takes the input values and submits them to the backend SQL database. Note that the SQL statement is prepared correctly, and is not susceptible to SQL injections.
`add-testimonial.php` lines 4-8:
```
$witnessName = $_POST['witness_name'];
$witnessDesignation = $_POST['witness_designation'];
$testimony = $_POST['testimony'];
$rating = $_POST['rating'];
```
`add-testimonial.php` lines 51-57:
```
$stmt = $conn->prepare("INSERT INTO `tbl_testimony` (`tbl_testimony_id`,`image`, `witness_name`, `witness_designation`, `testimony`, `rating`) VALUES (NULL, :image, :witness_name, :witness_designation, :testimony, :rating)");
$stmt->bindParam(':image', $image);
$stmt->bindParam(':witness_name', $witnessName);
$stmt->bindParam(':witness_designation', $witnessDesignation);
$stmt->bindParam(':testimony', $testimony);
$stmt->bindParam(':rating', $rating);
$stmt->execute();
```
After the user input is store in the SQL database, it is reflected back to the users via `index.php`. This endpoint simply takes data from the SQL database and displays it on the page. There is no sanitization of this data as it comes from the database. This creates opportunities for attackers to launch cross site scripting attacks. Because the attack only requires an attacker to submit malicious data to the server, and the server reflects that data back to the user, this constitutes a stored cross site scripting vulnerability.
Data retrieval and reflection, `index.php` lines 228-259:
```
$testimonyID = $row['tbl_testimony_id'];
$witnessImage = $row['image'];
$witnessName = $row['witness_name'];
$witnessDesignation = $row['witness_designation'];
$testimony = $row['testimony'];
$rating = $row['rating'];
<div class="item" id="item-<?= $testimonyID ?>">
<button class="btn btn-light delete-button" onclick="deleteTestimony(<?= $testimonyID ?>)">X</button>
<div class="imgBox animated bounceInRight" style="animation-delay: 1s">
<img src="./images/<?= $witnessImage ?>" alt="<?= $witnessImage ?>">
</div>
<div class="carousel-caption animated bounceInLeft" style="animation-delay: 2s">
<input type="hidden" class="id" value="<?= $testimonyID ?>" id="testimonyID-<?= $testimonyID ?>" name="tbl_testimony_id">
<h4>Rating: <span id="stars-<?= $testimonyID ?>"></span></h4>
<h3><?= $witnessName ?></h3>
<h4><?= $witnessDesignation ?></h4>
<p><?= $testimony ?></p>
</div>
</div>
<script>
var rating = <?= $rating ?>;
var starsContainer = document.getElementById('stars-<?= $testimonyID ?>');
var stars = '';
for (var i = 0; i < rating; i++) {
stars += '★';
}
starsContainer.innerHTML = stars;
</script>
```
## Affected URL/Area
Source: `add-testimonial.php`
Sink: `index.php/`
## Risk Rating
- Risk: **Low**
- Exploitation Difficulty: **Low**
## CVSS Justification
### Network - AV
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet.
### Low - AC
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
### None - PR
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
### None - UI
The vulnerable system can be exploited without interaction from any user.
### Unchanged - S
An exploited vulnerability can only affect resources managed by the same security authority.
### Low - C
There is some loss of confidentiality, but the information disclosure does not cause a direct, serious loss to the impacted component. The indirect confidentiality loss of being able to execute JavaScript in the context of user's browsers can lead to loss of sensitive information.
### Low - I
Modification of data is possible, but the negative security effects of the modification is limited.
### Low - A
Performance is reduced or there are interruptions in resource availability. Specifically, the data is being loaded as javascript
## Steps to reproduce
1) Navigate to the main page (`index.php`).
2) Enter `<script>alert(document.domain)</script>` in the name, description, and testimony.
3) Fill a random picture and rating in the appropriate slots.
4) Click add, you should now see the alert box.
## Recommended Fix
Sanitize all user input, and do not blindly trust data even if it is coming from the backend database.
## References
https://portswigger.net/web-security/cross-site-scripting/stored
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/
https://brightsec.com/blog/stored-xss/
https://www.invicti.com/learn/stored-xss-persistent-cross-site-scripting/
https://owasp.org/www-community/attacks/xss/
## Notes
Please credit Michael Blunt as the discovering researcher.
|
|---|
| Benutzer | mikel22 (UID 51822) |
|---|
| Einreichung | 01.02.2024 04:09 (vor 2 Jahren) |
|---|
| Moderieren | 02.02.2024 08:47 (1 day later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 252694 [SourceCodester Testimonial Page Manager 1.0 HTTP POST Request add-testimonial.php name/description/testimony Cross Site Scripting] |
|---|
| Punkte | 17 |
|---|