User Management System 2.0 - Persistent Cross-Site Scripting

vendor:

User Management System

by:

Besim ALTINOK

5.5

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: User Management System

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Xampp

2021

User Management System 2.0 – Persistent Cross-Site Scripting

The User Management System 2.0 is vulnerable to persistent cross-site scripting (XSS) attacks. The vulnerability exists in the user registration functionality and the admin dashboard, where user input is not properly filtered before being inserted into the database or displayed on the webpage. An attacker can exploit this vulnerability by inserting malicious script code as the 'fname' parameter, which will be executed when the page is viewed by other users.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented. User input should be properly filtered and sanitized before being inserted into the database or displayed on the webpage. Additionally, web application firewalls (WAFs) can be used to detect and block malicious script code.

Source

Exploit-DB raw data:

# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT

------ Details:

1- Vulnerable code is here:

Insert user registration information to the DB without filtering.

if(isset($_POST['signup']))
{
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$password=$_POST['password'];
$contact=$_POST['contact'];
$enc_password=$password;
$msg=mysqli_query($con,"insert into
users(fname,lname,email,password,contactno)
values('$fname','$lname','$email','$enc_password','$contact')");
if($msg)
{
echo "<script>alert('Register successfully');</script>";
}
}

2- In the admin dashboard:

Get fullName from DB and print it without any filtering

<?php $ret=mysqli_query($con,"select * from users");
$cnt=1;
while($row=mysqli_fetch_array($ret))
{?>
<tr>
<td><?php echo $cnt;?></td>
<td><?php echo $row['fname'];?></td>
<td><?php echo $row['lname'];?></td>
<td><?php echo $row['email'];?></td>
<td><?php echo $row['contactno'];?></td> <td><?php echo
$row['posting_date'];?></td>
</tr>

4- If we insert value of the "fname" as "script>prompt(1)</script>", we can
perform this attack as "Stored XSS"