Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting

vendor:

Online Farm Management System

by:

KeopssGroup0day,Inc

9.3

CVSS

HIGH

Persistent Cross-Site Scripting

CWE

Product Name: Online Farm Management System

Affected Version From: 0.1.0

Affected Version To: 0.1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcecodester:online_farm_management_system:0.1.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux

2020

Online Farm Management System 0.1.0 – Persistent Cross-Site Scripting

Online Farm Management System 0.1.0 is vulnerable to Persistent Cross-Site Scripting. An attacker can inject malicious JavaScript code into the review page of the application. This code will be executed in the browser of the victim when the page is loaded. The malicious code can be used to steal the session of the victim, redirect the victim to a malicious website, or perform other malicious activities.

Mitigation:

Input validation should be used to prevent the injection of malicious code. The application should validate all user input and reject any input that contains malicious code.

Source

Exploit-DB raw data:

# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting
# Date: 2020-06-29
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage:  https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html
# Software Link:  https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/
# Version: 0.1.0
# Tested on: Kali Linux

Source code(review.php):
<?php
if($result) :
while($row1 = $result->fetch_array()) :
?>
  <div class="con">
  <div class="row">
  <div class="col-sm-4">
  <em style="color: black;"><?= $row1['comment']; ?></em>
</div>


POC:

1. http://192.168.1.58/a/review.php?pid=31 go
2. We send the payload (<script>alert(1)</script>)
3. Write a review payload and submit
4. And refresh the page