Link: https://github.com/RamonSilva20/mapos
Multiple XSS vulnerabilities.
For example,
'telefone' is saved in the DB, then it is retrieved and printed in the view.
In file mapos-master\application\controllers\Clientes.php
$data = [
//...
'telefone' => $this->input->post('telefone'),
//...
];
if ($this->clientes_model->edit('clientes', $data, 'idClientes', $this->input->post('idClientes')) == true) {
//....
}
public function edit($table, $data, $fieldID, $ID)
{
$this->db->where($fieldID, $ID);
$this->db->update($table, $data);
if ($this->db->affected_rows() >= 0) {
return true;
}
return false;
}
In file mapos-master\application\controllers\Relatorios.php
$data['clientes'] = $this->Relatorios_model->clientesCustom($dataInicial, $dataFinal, $this->input->get('tipocliente'));
//...
$data['topo'] = $this->load->view('relatorios/imprimir/imprimirTopo', $data, true);
public function clientesCustom($dataInicial = null, $dataFinal = null, $tipo = null)
{
$whereData = '';
if ($dataInicial != null) {
$whereData .= "AND dataCadastro >= " . $this->db->escape($dataInicial);
}
if ($dataFinal != null) {
$whereData .= "AND dataCadastro <= " . $this->db->escape($dataFinal);
}
if ($tipo != null) {
$whereData .= "AND fornecedor = " . $this->db->escape($tipo);
}
$query = "SELECT * FROM clientes WHERE dataCadastro $whereData ORDER BY nomeCliente";
return $this->db->query($query, [$dataInicial, $dataFinal])->result();
}
In file
<?php foreach ($clientes as $c) : ?>
<td align="center"><?= $c->telefone ?></td>
Another example,
In file mapos-master\application\views\arquivos\arquivos.php
<input type="text" name="pesquisa" id="pesquisa" placeholder="Digite o nome do documento para pesquisar" class="span12" value="<?= $this->input->get('pesquisa') ?>">
If you agree with the vulnerabilities, I will report the other vulnerabilities.