[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

Submit #79844: Reflected Cross-Site Scripting (XSS) Vulnerability in the Name Parameter of Canteen Management System 1.0 by SourceCodester情報

TitleReflected Cross-Site Scripting (XSS) Vulnerability in the Name Parameter of Canteen Management System 1.0 by SourceCodester
Description# Description A Reflected Cross-Site scripting (XSS) vulnerability has been discovered in the Canteen Management System 1.0 by SourceCodeSter. The vulnerability affects the 'Add Customer' form in the 'createcustomer.php' source code and allows an attacker to inject malicious code into the 'name' parameter. The injected code is then reflected back to the user's browser and executed, allowing an attacker to steal sensitive information, perform actions on behalf of the user, or redirect the user to a malicious site. This vulnerability can be remotely exploited and has the potential for code execution. It's important to note that this vulnerability is only exploitable if the user clicks on a link or submits a form containing the malicious code. # VULNERABILITY-TYPE : REFLECTED-CROSS-SITE SCRIPTING (XSS) # VENDOR OF THE PRODUCT : SOURCECODESTER # AFFECTED PRODUCT : Canteen Management System # VERSION: 1.0 # ATTACK TYPE : REMOTE # IMPACT: CODE EXECUTION # AFFECTED COMPONENTS: SOURCE-CODE(createcustomer.php) # ATTACK VECTOR: Add Customer Form (name parameter) # Tested-On : Windows 11 + XAMPP # STEPS_TO_REPRODUCE 1. LOGIN INTO THE APPLICATION BY GIVING THE ABOVE CREDENTIAL 2. THEN NAVIGATE TO `CUSTOMER TAB` ON THE `LEFT PANEL` AND SELECT `Add Customer` you will be redirected to this URL: [http://localhost/youthappam/add_customer.php](http://localhost/youthappam/add_customer.php) 3. Fill up the `Add Customer Form` by adding default/random value except the `name` parameter, In the `name` parameter put the below Payload 4. Payload: `SRK_TEST"><script>alert(document.domain)</script>` 5. You will see that name parameter is not validating and sanitizing our input/payload this lead to pop-up our XSS payload # REFERENCE https://cwe.mitre.org/data/definitions/79.html # VIDEO-POC GITHUB-LINK : https://github.com/ctflearner/Vulnerability/blob/main/Canteen%20Management%20System/Canteen_Management_System_XSS_IN_Add_Customer.md
Source⚠️ https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html
User
 Affan (UID 39417)
Submission2023年01月29日 09:32 (2 年 ago)
Moderation2023年01月29日 18:30 (9 hours later)
Status承諾済み
VulDB Entry219730 [SourceCodester Canteen Management System 1.0 Add Customer createcustomer.php name cross site scripting]
Points20

概要

Want to stay up to date on a daily basis?

Enable the mail alert feature now!