Improper handling of large integer values in francoisjacquet/rosariosis


Reported on

May 2nd 2022


In create Fee function, improper handling of large integer values in mount field value.

Proof of Concept

POST /demonstration/Modules.php?modname=Student_Billing/StudentFees.php HTTP/1.1
Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 385
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close


Step to reproduce

  • Go to Student Billing
  • Create new Fee with amount 9999999999999999999999999
  • We can see server return a larger value than 9999999999999999999999999

PoC image



This vulnerability can make the website not work properly.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago
François Jacquet validated this vulnerability 2 years ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit 386a5e 2 years ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation