| पदवी | SourceCodester Wedding Guest Management System 1.0 Stored Cross Site Scripting (XSS) |
|---|
| वर्णन | # Stored Cross Site Scripting in Sourcecodester's Wedding Guest E-Book System 1.0
## Summary
Fields in `guest-form.php` take input from the user and store it in a backend SQL database. This data is not sanitized for special HTML characters before being displayed in guest-list.php.
## Issue Description
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Note: There is no authentication required to use this software. The entry point for this vulnerability is `guest-form.php`. `guest-form.php` takes input from the user, and creates a POST request to the `add-guest.php` endpoint. This endpoint takes the input values and submits them to the backend SQL database. Note that the SQL statement is prepared correctly, and is not susceptible to SQL injections.
`add-guest.php` lines 13-21:
```
$stmt = $conn->prepare("INSERT INTO tbl_guest (name, relationship, message, first_child, number_of_child) VALUES (:name, :relationship, :message, :first_child, :number_of_child)");
$stmt->bindParam(":name", $name, PDO::PARAM_STR);
$stmt->bindParam(":relationship", $relationship, PDO::PARAM_STR);
$stmt->bindParam(":message", $message, PDO::PARAM_STR);
$stmt->bindParam(":first_child", $firstChild, PDO::PARAM_STR);
$stmt->bindParam(":number_of_child", $numberChildren, PDO::PARAM_STR);
$stmt->execute();
```
After the user input is store in the SQL database, it is reflected back to the users via `guest-list.php`. This endpoint simply takes data from the SQL database and displays it on the page. There is no sanitization of this data as it comes from the database. This creates opportunities for attackers to launch cross site scripting attacks. Because the attack only requires an attacker to submit malicious data to the server, and the server reflects that data back to the user, this constitutes a stored cross site scripting vulnerability.
Data Retrieval, `guest-list.php` lines 49-60:
```
$stmt = $conn->prepare("SELECT * FROM tbl_guest");
$stmt->execute();
$result = $stmt->fetchAll();
// Line 54 omitted in report for clarity
$guestID = $row["tbl_guest_id"];
$name = $row["name"];
$relationship = $row["relationship"];
$message = $row["message"];
$firstChild = $row["first_child"];
$numberChildren = $row["number_of_child"];
```
Reflection, `guest-list.php` lines 65-73:
```
<input type="text" value="<?= $guestID ?>" id="<?= $guestID ?>" hidden>
<h3 class="card-title" id="name-<?= $guestID ?>"><?= $name ?></h3>
<h5 class="card-subtitle mb-2 text-muted" id="relationship-<?= $guestID ?>"><?= $relationship ?></h5>
<h5>Message:</h5>
<p class="card-text" id="message-<?= $guestID ?>"><?= $message ?></p>
<h5>Prediction</h5>
<h6>Year of First Child: <span id="firstChild-<?= $guestID ?>"><?= $firstChild ?></span></h6>
<h6>Number of Childer after 5 years: <span id="numberChilder-<?= $guestID ?>"><?= $numberChildren ?></span></h6>
```
## Affected URL/Area
Source: `guest-form.php`
Sink: `guest-list.php/`
## Risk Rating
- Risk: **Low**
- Exploitation Difficulty: **Low**
## CVSS Justification
### Network - AV
The vulnerable component is bound to the network stack. The set of possible attackers extends beyond local attacks, up to and including the entire Internet.
### Low - AC
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
### None - PR
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the the vulnerable system to carry out an attack.
### None - UI
The vulnerable system can be exploited without interaction from any user.
### Unchanged - S
An exploited vulnerability can only affect resources managed by the same security authority.
### Low - C
There is some loss of confidentiality, but the information disclosure does not cause a direct, serious loss to the impacted component. The indirect confidentiality loss of being able to execute JavaScript in the context of user's browsers can lead to loss of sensitive information.
### Low - I
Modification of data is possible, but the negative security effects of the modification is limited.
### Low - A
Performance is reduced or there are interruptions in resource availability. Specifically, the data is being loaded as javascript
## Steps to reproduce
Curl command:
```
curl 'http://localhost/wedding-guest-e-book/endpoint/add-guest.php' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-raw 'name=%3Cscript%3Ealert%28%27XSS+Source+1%27%29%3B%3C%2Fscript%3E&relationship=%3Cscript%3Ealert%28%27XSS+Source+2%27%29%3B%3C%2Fscript%3E&message=%3Cscript%3Ealert%28%27XSS+Source+3%27%29%3B%3C%2Fscript%3E&first_child=%3Cscript%3Ealert%28%27XSS+Source+4%27%29%3B%3C%2Fscript%3E&number_of_child=%3Cscript%3Ealert%28%27XSS+Source+5%27%29%3B%3C%2Fscript%3E' \
--compressed
```
Be sure to replace localhost with remote destination and replace alert payload with a custom XSS payload.
Simpler, you can navigate to the `guest-form.php` endpoint and simply type your payload into the input text box.
## Affected Demographic/User Base
All users of the system are susceptible to attacks. Guests who visit the guest list page with an attack embedded are at risk of having JavaScript run within the context of their browsers. This can result in cookie snatching, and many other attacks.
## Recommended Fix
Sanitize all user input, and do not blindly trust data even if it is coming from the backend database.
## References
https://portswigger.net/web-security/cross-site-scripting/stored
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/
https://brightsec.com/blog/stored-xss/
https://www.invicti.com/learn/stored-xss-persistent-cross-site-scripting/
https://owasp.org/www-community/attacks/xss/
## Notes
Please credit Michael Blunt as the discovering researcher.
Developers have been contacted and a responsible disclosure process is underway/finished.
Source Code URL (12/09/2023): https://www.sourcecodester.com/php/17043/wedding-guest-e-book-using-php-and-mysql-source-code.html |
|---|
| उपयोगकर्ता | mikel22 (UID 51822) |
|---|
| आधीनता | 10/12/2023 12:41 AM (2 वर्षानुवर्षे ago) |
|---|
| नेमस्तपणा | 13/12/2023 10:33 AM (3 days later) |
|---|
| स्थान | मान्य केले |
|---|
| VulDB entry | 247899 [SourceCodester Wedding Guest e-Book 1.0 /endpoint/add-guest.php नाम क्रॉस साइट स्क्रिप्टिंग] |
|---|
| मुद्दे | 17 |
|---|