Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
Reported on
Jun 30th 2021
✍️ Description
There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add a client. when a comment is added during the creation of a client by the user then due to improper sanitization XSS payload gets triggered.
🕵️♂️ Proof of Concept
Video POC:
https://drive.google.com/file/d/1g6if1zfpq9Wo5ASzSGztk_Xpuw6hpc7O/view?usp=sharing
Payload: '''><svg/onload=prompt(5)>
💥 Impact
Any user who has permission to add clients could steal admin or any user who can view clients.
Occurrences
The code you're linking to above is from an older release. Please confirm if this is applicable to the latest release. You reported a similar issue for the invoices page that I wasn't able to reproduce.
Same for this one sir I cloned the latest repo frok github and then tested the application Also as you said latest release i will download it from release section and then retest it and will let you know sir As per this report: Steps to reproduce:
Start the server Login into the user who has permission to make clients enter the given payload in the comment box save the client and you will see pop up
Hello, @maintainer I just check the latest version also the payload is getting executed with the same payload. Video POC from downloading the latest version to exploitation. https://drive.google.com/file/d/1Dbw5vSli6srWXgMcn2T4dFEGaNB-VvfJ/view?usp=sharing
I tried testing this again on both the master commit and v5.0 ... I wasn't able to reproduce it still .. please see my latest comment on the thread https://www.huntr.dev/bounties/1625043502189-bigprof-software/online-invoicing-system/ as it's a very similar scenario. I do want to fix this issue, if it exists, but I just can't tell why your results differ from what I have on my side :/
yes can you try typing payload manually ? because it working on my side and I am using php7
Here is what I tried .. no alert box: https://cdn.bigprof.com/screencasts/xss-test.mp4
Finally!! thank you for this and i have reported some vulnerabilities in online rental property management software please have a look and validate https://www.huntr.dev/bounties/1625331222863-bigprof-software/online-invoicing-system/ https://www.huntr.dev/bounties/1625330899924-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625284759984-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625284054254-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625281713530-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625280763977-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279905982-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279781154-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279711235-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279620358-bigprof-software/online-rental-property-manager/
yep .. will check them later tonight. I need some fresh air now :D