| Title | Stored Cross-Site Scripting (XSS) vulnerability in PHPGURUKUL Bank Locker Management System 1.0 allows attackers to execute arbitrary code on administrator's browser |
|---|
| Description | # DESCRIPTION
A Stored Cross-Site scripting (XSS) vulnerability has been discovered in the PHPGURUKUL Bank Locker Management System 1.0. The vulnerability exists in the Assign Locker feature, where a user can inject a malicious XSS payload into their username when filling out the form. The payload is then stored on the server and subsequently displayed to other users without proper validation or sanitization. An attacker can exploit this vulnerability by tricking an administrator into editing the assign-locker of the same user, causing the XSS payload to execute in the administrator's browser. This can allow an attacker to steal sensitive information, perform actions on behalf of the administrator, or redirect the administrator to a malicious site.
# VULNERABILITY-TYPE : STORED-CROSS-SITE SCRIPTING (XSS)
# VENDOR OF THE PRODUCT : PHPGURUKUL
# AFFECTED PRODUCT : Bank Locker Management System
# VERSION: 1.0
# ATTACK TYPE : REMOTE
# IMPACT: CODE EXECUTION
# AFFECTED COMPONENTS: SOURCE-CODE(add-locker-form.php)
# ATTACK VECTOR: Add Locker Form (ahname parameter)
# TESTED-ON : WINDOWS 11 + XAMPP
# REFERENCES
CWE-79: https://cwe.mitre.org/data/definitions/79.html
# PROOF_OF_CONCEPT
https://github.com/ctflearner/Vulnerability/blob/main/Bank_Locker_Management_System/BLMS_XSS_IN_ADMIN_BROWSER.md
# STEPS_TO_REPRODUCE
1. NAVIGATE TO THIS URL `http://localhost/BLMS/banker/index.php` AND LOGIN AS A NORMAL USER BY GIVING YOUR USER CREDENTIALS
2. NAVIGATE TO `ASSIGN LOCKER` TAB FROM THE LEFT PANEL AND SELECT `ADD`
3. IT WILL REDIRECT YOU TO THIS URL:`http://localhost/BLMS/banker/add-locker-form.php`
4. Fill up the form by adding default value and in the place of lockernumber and keynumber put any random number and in the `name` parameter put the below payload
5. PAYLOAD : XSS-USER"><iMg SrC="x" oNeRRor="alert(document.domain);">
6. AFTER FILLING-UP THE FORM AND CLICKING ON SUBMIT BUTTON , LOGOUT FROM USER ACCOUNT AND LOG-IN WITH ADMIN ACCOUNT BY GIVING CREDENTIAL
7. NAVIGATE TO `ASSIGN LOCKER` TAB FROM THE `LEFT PANEL` AND SELECT `MANAGE` YOU WILL BE REDIRECTED TO THIS URL `http://localhost/BLMS/banker/manage-locker-form.php`
8. THEN SEARCH FOR THE `USER LOCKER NUMBER` , MY `LOCKER-NUMBER` IS `889900` THEN IN THE `ACTION TAB` CLICK ON `EDIT SECTION` YOU WILL SEE THAT YOUR XSS-PAYLOAD GET EXECUTED
|
|---|
| Source | ⚠️ https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ |
|---|
| User | Affan (UID 39417) |
|---|
| Submission | 01/28/2023 15:28 (3 years ago) |
|---|
| Moderation | 01/28/2023 23:23 (8 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 219717 [PHPGurukul Bank Locker Management System 1.0 Assign Locker add-locker-form.php ahname cross site scripting] |
|---|
| Points | 20 |
|---|