Reflected XSS on ID parameter in unilogies/bumsys
Reported on
Oct 30th 2022
Description
Vulnerable code <input type="hidden" name="accounts_id" value="<?php echo $_GET['id']; ?>">
Proof of Concept
https://demo.bumsys.org/xhr/?icheck=false&module=accounts&page=editAccount&id=test"><body%20onpageshow=alert(1)>
Impact
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Occurrences
SECURITY.md
a year ago
This is Khurshid Alam from bumsys.
You are really doing great work @krizzsk 👌
Now, let discuss about the vulnerability.
Though you must login to access this recourse, but we should fix this issue. There is more issue like this, I guess.
On of this https://demo.bumsys.org/products/edit-product/?pid=9 Isn't it?
But, in your given URL you cannot access any resources (either you login or not). Could you please show the exact scenario and how it will work?
And I will be very grateful if you give the best fix for this issue.
Thank you.
Hi Khurshid,
Thanks for the kind words.
I will spend more time on the program and assess the code to find more vulnerabilities. The URL you mentioned is not vulnerable to reflected XSS as the input is not being reflected in the source of the page. That said- to fix these issues I'd recommend using htmlentities() function in PHP. You can read about it in here https://knowledge-base.secureflag.com/vulnerabilities/cross_site_scripting/cross_site_scripting_php.html.
Regarding your query But, in your given URL you cannot access any resources (either you login or not). Could you please show the exact scenario and how it will work? An attacker just needs to send the reported malicious link to an innocent user and wait for him to click on that which would then execute the malicious payload on users end. Please read about it here in detail https://www.linkedin.com/pulse/reflected-xss-flaw-underestimated-web-application-santhirasekaran#:~:text=Reflected%20XSS%20attacks%2C%20also%20known,enables%20execution%20of%20malicious%20scripts.
Please let me know if you have any more questions.
Hello, thank you for your reply.
I have fixed the issue and updated. Please check and let me know if it is okay.
I will eagerly wait for you next update. Thank you again.
Hi,
Can you please let me know if you have deployed the fixed version on the host https://demo.bumsys.org/ so I can double verify the fix?
Cheers, @krizzsk
Yes sir, I have deployed the fixed version on https://demo.bumsys.org/
- Khurshid Alam
Hi,
I have confirmed the fix however, the single quotes are not escaped and might lead to filter bypass. For that I recommend escaping single quotes as well. You can find more details here https://github.com/X-Vector/XSS_Bypass/blob/master/htmlspecialchars%20-%20htmlentities/README.md last 2 lines will help fix the single quote escaping problem.
Cheers, @krizzsk
Thank you.
I think from PHP 8 the default flag is changed to ENT_QUOTES.
I am using 8.1.6, so cannot see effect. Now I am adding ENT_QUOTES flag along with htmlentities().
- Khurshid Alam
Hello, It has been done. Could you please recheck and let me know if it is okay. Thank you.
Great work @krizzsk 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Hi,
I have recently submitted new vulnerabilities. That said- to answer your question Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated. I'd say never trust the user input and always sanitize the input.
Cheers, @krizzsk