| Название | PHPGuruku Hospital Management System (HMS) 4.0 Improper Neutralization of Alternate XSS Syntax |
|---|
| Описание | # [XSS vulnerability] found in Hospital Management System (HMS) 4.0 - (betweendates-detailsreports.php)
Affected Project: **Hospital Management System (HMS)**
Platform: Web/Php
Vendor: PHPGuruku
Official Website: (https://phpgurukul.com/hospital-management-system-in-php/)
Version: 4.0
Updated: 16 May 2024
Vulnerable path/file: hms/admin/betweendates-detailsreports.php
Injection parameter: `fromdate` , `todate`
Size: 16.7 MB
Sha256: 705263fd0533fde4c8c4d332bf943ea66de98645262cc896f415c897e824455a
## Vulnerability Description:
The parameters $fdate and $tdate are vulnerable to XSS because they accept user input from the $_POST array and output it directly to the page without any form of sanitization or encoding. This means that if a user submits HTML or JavaScript code within these fields, it will be rendered directly in the HTML output, executing any embedded JavaScript.
This allows an attacker to inject arbitrary HTML or JavaScript code leading to an XSS attack.
## Vulnerable code:
$fdate=$_POST['fromdate'];
$tdate=$_POST['todate'];
?>
<h5 align="center" style="color:blue">Report from <?php echo $fdate?> to <?php echo $tdate?></h5>
## Injection Payload Tested:
We need to set the `fromdate` and `todate` to:
<script>alert('XSS')</script>
`
## Execution:
When the browser parses this through a `POST` request, it executes the `<script>alert('XSS')</script>` code, resulting in a popup displaying `"XSS"`.
## Demonstration:
Below is how `betweendates-detailsreports.php` looks like:
https://i.postimg.cc/HnXLvmhw/1.png
As it is a POST request we need to use a file test_form.html with the following content to be able to trigger the XSS popup:
<form method="POST" action="http://localhost/hospital/hms/admin/betweendates-detailsreports.php">
<input type="text" name="fromdate" value="<script>alert('XSS')</script>">
<input type="text" name="todate" value="<script>alert('XSS')</script>">
<input type="submit" value="Submit">
</form>
Then we have to open it on the browser:
For example: file:///home/username/Desktop/test_form.html
https://i.postimg.cc/T2gY6Rtm/2.png
Before submitting the POST request we must be logged in:
Default login info:
Url: http://localhost/hospital/hms/admin/index.php
Username: admin
Password: Test@12345
After submitting the payload using POST with the vulnerable parameters `fromdate` and `todate` and the XSS payload "><script>alert('XSS')</script>, XSS is triggered:
https://i.postimg.cc/B6fkcG29/3.png
then we need to click OK so the next POST request executed and XSS triggered.
https://i.postimg.cc/5N2GmgQ0/4.png
## Recommendation for Preventing XSS:
To fix this vulnerability, we must always sanitize user inputs before rendering them in the HTML. We can use functions like htmlspecialchars() in PHP to encode special characters.
Example:
$fdate = htmlspecialchars($_POST['fromdate'], ENT_QUOTES, 'UTF-8');
$tdate = htmlspecialchars($_POST['todate'], ENT_QUOTES, 'UTF-8');
?>
<h5 align="center" style="color:blue">Report from <?php echo $fdate ?> to <?php echo $tdate ?></h5>
> One Click Can Change Everything: Be Secure. |
|---|
| Источник | ⚠️ https://github.com/secuserx/CVE/blob/main/%5BXSS%20vulnerability%5D%20found%20in%20Hospital%20Management%20System%20(HMS)%204.0%20-%20(betweendates-detailsreports.php).md |
|---|
| Пользователь | secuserx (UID 76735) |
|---|
| Представление | 03.11.2024 16:31 (2 лет назад) |
|---|
| Модерация | 04.11.2024 18:45 (1 day later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 283030 [PHPGurukul Hospital Management System 4.0 betweendates-detailsreports.php fromdate/todate межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|