Skip to content

Instantly share code, notes, and snippets.

@enferas

enferas/CVE-2023-23015.md

Last active January 21, 2023 12:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save enferas/eaf599190451745f1b339f64cca4a36d to your computer and use it in GitHub Desktop.
Save enferas/eaf599190451745f1b339f64cca4a36d to your computer and use it in GitHub Desktop.
Download ZIP
XSS Kalkun
Raw
CVE-2023-23015.md

CVE-2023-23015 is assigned

Link: https://github.com/kalkun-sms/Kalkun

XSS vulnerability with the user name.

We see that the username will be setted in the DB without sanitization in file Kalkun-devel\application\models\User_model.php

$this->db->set('username', trim($this->input->post('username')));

Then the username retrieved from the DB and set in the session then redirect to 'kalkun' in file Kalkun-devel\application\models\Kalkun_model.php

function login(){
  $username = $this->input->post('username');
  $this->db->from('user');
  $this->db->where('username', $username);
  $query = $this->db->get();
  
  if ($query->num_rows() === 1 && password_verify($this->input->post('password'), $query->row('password')))
  {
	  //..
	  $this->session->set_userdata('username', $query->row('username'));
         //...
  }
  if ($this->input->post('r_url'))
  {
  redirect($this->input->post('r_url'));
  }
  else
  {
  redirect('kalkun');
  }
}

In file Kalkun-devel\application\controllers\Kalkun.php

function index()
{
  //...
  $this->load->view('main/layout', $data);
}

In file Kalkun-devel\application\views\main\layout.php

<?php $this->load->view('main/dock');?>

Finally, in file Kalkun-devel\application\views\main\dock.php

<?php echo $this->session->userdata('username');?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment