Improper handling of large integer values in francoisjacquet/rosariosis


Reported on

May 2nd 2022


In create Fee function, improper handling of large integer values in mount field value.

Proof of Concept

POST /demonstration/Modules.php?modname=Student_Billing/StudentFees.php HTTP/1.1
Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 385
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close


Step to reproduce

  • Go to Student Billing
  • Create new Fee with amount 9999999999999999999999999
  • We can see server return a larger value than 9999999999999999999999999

PoC image



This vulnerability can make the website not work properly.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 25 days ago
François Jacquet validated this vulnerability 24 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on 386a5e 24 days ago
François Jacquet has been awarded the fix bounty
to join this conversation