Skip to content

Instantly share code, notes, and snippets.

@enferas

enferas/CVE-2023-23027.md

Last active January 21, 2023 12:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enferas/4100b2b71d3b63d9f22ed3411c28c8f6 to your computer and use it in GitHub Desktop.
Save enferas/4100b2b71d3b63d9f22ed3411c28c8f6 to your computer and use it in GitHub Desktop.
Download ZIP
XSS in expense management system sourcecodester
Raw
CVE-2023-23027.md

CVE-2023-23027 is assigned

Link: https://www.sourcecodester.com/php-codeigniter-expense-management-system-source-code

9 XSS vulnerabilities

Sinks in application/views/index.php

// line 195
<input name="" readonly="" type="text" class="form-control form-control-sm" value="<?php echo $row->name  ?>" placeholder="" aria-label="Name">
// line 200
<input type="hidden" name="name" value="<?php echo $row->cus_id ?>">
// line 211
<input name="discription" value="<?php echo $row->discription ?>" type="text" class="form-control form-control-sm" id="exampleInputPassword1" placeholder="Description">
// line 218
<input name="amount" onkeypress="return isNumber(event)" value="<?php echo $row->amount ?>" type="text" class="form-control form-control-sm" placeholder="Debit Amount" aria-label="Debit Amount">
// line 371
<input name="" readonly="" type="text" class="form-control form-control-sm" value="<?php echo $row->name  ?>" placeholder="" aria-label="Name">
// line 374
<input type="hidden" name="name" value="<?php echo $row->cus_id ?>">
// line 379
<input name="date" readonly="" type="text" value="<?php echo $row->date ?>" required="" class="form-control form-control-sm" placeholder="Username" aria-label="Date">
// line 386
<input name="discription" value="<?php echo $row->discription ?>" type="text" class="form-control form-control-sm" id="exampleInputPassword1" placeholder="Description">
// line 393
<input name="amount" onkeypress="return isNumber(event)" value="<?php echo $row->amount ?>" type="text" class="form-control form-control-sm" placeholder="Debit Amount" aria-label="Debit Amount">

All these sinks coming from the database. The information are saved in the database in these lines.

For example, in file application/controllers/Home.php line 215

$userData = array(
    'cus_id' => strip_tags($this->input->post('name')),
    'discription' => strip_tags($this->input->post('discription')),
    'date' => strip_tags($this->input->post('date')),
    'category_id' => strip_tags($this->input->post('item')),
    'amount' => strip_tags($this->input->post('amount')),
    'dis_cat' => "badge-gradient-warning",
);
 $this->db->insert('debit', $userData);

Strip tags don't sanitize the input from the XSS in this case because it is in the input HTML tag. https://security.stackexchange.com/questions/97550/how-to-launch-xss-code-from-an-input-html-tag-upon-page-load

strip tags don't sanitize this input (" onfocus="alert(1)" autofocus=") which lead to XSS vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment