Reflected XSS on ID parameter in unilogies/bumsys

Valid

Reported on

Oct 30th 2022


Description

Vulnerable code <input type="hidden" name="accounts_id" value="<?php echo $_GET['id']; ?>">

Proof of Concept

https://demo.bumsys.org/xhr/?icheck=false&module=accounts&page=editAccount&id=test"><body%20onpageshow=alert(1)>

Impact

  1. Perform any action within the application that the user can perform.
  2. View any information that the user is able to view.
  3. Modify any information that the user is able to modify.
  4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

Occurrences

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back a month ago
unilogies/bumsys maintainer
a month ago

Maintainer


This is Khurshid Alam from bumsys.

You are really doing great work @krizzsk 👌

Now, let discuss about the vulnerability.

Though you must login to access this recourse, but we should fix this issue. There is more issue like this, I guess.

On of this https://demo.bumsys.org/products/edit-product/?pid=9 Isn't it?

But, in your given URL you cannot access any resources (either you login or not). Could you please show the exact scenario and how it will work?

And I will be very grateful if you give the best fix for this issue.

Thank you.

krizzsk
a month ago

Researcher


Hi Khurshid, Thanks for the kind words. I will spend more time on the program and assess the code to find more vulnerabilities. The URL you mentioned is not vulnerable to reflected XSS as the input is not being reflected in the source of the page. That said- to fix these issues I'd recommend using htmlentities() function in PHP. You can read about it in here https://knowledge-base.secureflag.com/vulnerabilities/cross_site_scripting/cross_site_scripting_php.html.

Regarding your query But, in your given URL you cannot access any resources (either you login or not). Could you please show the exact scenario and how it will work? An attacker just needs to send the reported malicious link to an innocent user and wait for him to click on that which would then execute the malicious payload on users end. Please read about it here in detail https://www.linkedin.com/pulse/reflected-xss-flaw-underestimated-web-application-santhirasekaran#:~:text=Reflected%20XSS%20attacks%2C%20also%20known,enables%20execution%20of%20malicious%20scripts.

Please let me know if you have any more questions.

unilogies/bumsys maintainer
a month ago

Maintainer


Hello, thank you for your reply.

I have fixed the issue and updated. Please check and let me know if it is okay.

I will eagerly wait for you next update. Thank you again.

krizzsk
a month ago

Researcher


Hi, Can you please let me know if you have deployed the fixed version on the host https://demo.bumsys.org/ so I can double verify the fix?

Cheers, @krizzsk

unilogies/bumsys maintainer
a month ago

Maintainer


Yes sir, I have deployed the fixed version on https://demo.bumsys.org/

  • Khurshid Alam
krizzsk
a month ago

Researcher


Hi, I have confirmed the fix however, the single quotes are not escaped and might lead to filter bypass. For that I recommend escaping single quotes as well. You can find more details here https://github.com/X-Vector/XSS_Bypass/blob/master/htmlspecialchars%20-%20htmlentities/README.md last 2 lines will help fix the single quote escaping problem.

Cheers, @krizzsk

unilogies/bumsys maintainer
a month ago

Maintainer


Thank you.

I think from PHP 8 the default flag is changed to ENT_QUOTES.

I am using 8.1.6, so cannot see effect. Now I am adding ENT_QUOTES flag along with htmlentities().

  • Khurshid Alam
unilogies/bumsys maintainer
a month ago

Maintainer


Hello, It has been done. Could you please recheck and let me know if it is okay. Thank you.

krizzsk
a month ago

Researcher


Hi, I can confirm the fix.

Cheers, @krizzsk

unilogies/bumsys maintainer
a month ago

Maintainer


Great work @krizzsk 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

Khurshid Alam validated this vulnerability a month ago
krizzsk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
unilogies/bumsys maintainer marked this as fixed in 1.0.2-beta with commit 4760bd a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ajax.php#L336 has been validated
unilogies/bumsys maintainer published this vulnerability a month ago
unilogies/bumsys maintainer gave praise a month ago
Thank you @krizzsk for your great work. I am very happy to see that there are some people are ready to help open source project.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
krizzsk
a month ago

Researcher


Hi, I have recently submitted new vulnerabilities. That said- to answer your question Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated. I'd say never trust the user input and always sanitize the input.

Cheers, @krizzsk

to join this conversation