Skip to content

Instantly share code, notes, and snippets.

@LioTree

LioTree/online-rental-property-manager-xss.md

Created May 3, 2024 08:55
Show Gist options
  • Save LioTree/f8134c7b235377171a260801eef20a42 to your computer and use it in GitHub Desktop.
Save LioTree/f8134c7b235377171a260801eef20a42 to your computer and use it in GitHub Desktop.
Download ZIP
online-rental-property-manager xss
Raw
online-rental-property-manager-xss.md

vendor: online-rental-property-manager

version: <= 7.1, fix in edb404c4e31966338762de3022d0e6cfac63ca2b

An XSS vulnerability (Cross site Scripting) (CWE-79) is in app/hooks/applicants_and_tenants_filter.php. At line 93, The $FilterValue[1] is inserted into javascript string represented using single quotes and is escaped by htmlspecialchars. However, htmlspecialchars doesn't escape ' without the ENT_QUOTES flag. Therefore, an attacker can still exploit this by using ' to break out of the javascript string and inject malicious Javascript code. This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.

<script>
		//for population
		var filterValue_13 = '<?php echo htmlspecialchars($FilterValue[ 1 ]); ?>';
		$j(function () {
			if (filterValue_13) {
				$j("input[class =filter_13][value ='" + filterValue_13 + "']").attr("checked", "checked");
			}
		})
	</script>

The POC is as follows:

http://localhost/online-rental-property-manager/app/applicants_and_tenants_view.php?SearchString=&Filter_x=1&current_view=TV&SortField=&SelectedID=&SelectedField=&SortDirection=&FirstRecord=1&NoDV=1&PrintDV=&DisplayRecords=all&FilterValue[0]=xxxx&FilterValue[1]=%27;alert(1);//&FilterField[0]=1&FilterField[1]=2

online-rental-property-manager

online-rental-property-manager2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment