CVE-2023-4865: 【CVE-2023-4864】【CVE-2023-4865】SourceCodester Take-Note App v1.0 has Multiple Vulnerabilities

CVE・未分类

2023年9月5日2023年9月9日 4 Minutes

Vuln_Author: WEI（Gikaku）

Vendors: SourceCodester

Source code：Take-Note App

The program is built using the xmapp-php8.2.4 version

Vulnerabilities：

• DOM-XSS
• CSRF

“Take-Note App,” a simple yet powerful solution to help you organize and manage your notes seamlessly. It also uses CRUD (Create, Read, Update and Delete) feature. Built using the versatile PHP programming language, this app offers an intuitive user interface and robust features that make note-taking a breeze. It is just a simple which only uses single table unlike to joining tables that I’ve also created before.

Features:

1. Effortless Note Creation: With the Take-Note App, creating a new note is as simple as typing your thoughts. Enter the title and content of your note, and you’re good to go.
2. User-Friendly Interface: The app boasts a clean and user-friendly interface, designed to provide a distraction-free note-taking experience. Whether you’re using a desktop computer or a mobile device, the app adapts seamlessly.
3. Edit and Update: Need to make changes to an existing note? The app allows you to easily edit and update your notes. You can modify the title and content to keep your notes up to date.
4. Organize and Manage: Organizing your notes is made easy with categorization by titles. The app lets you effortlessly manage multiple notes and quickly find what you’re looking for.
5. Time Stamps: Each note you create is automatically stamped with the date and time it was created, helping you keep track of your thoughts and ideas chronologically.
6. Delete Confirmation: Before you delete a note, the app prompts you to confirm your action, ensuring that important notes aren’t accidentally removed.

****DOM-XSS****

DOM-XSS vulnerability exists in index.php

Code Audit

… // Convert the date_time value to a formatted date and time string $formattedDateTime = date('F j, Y H:i A’, strtotime($noteDateTime)); ?> <li class="list-group-item mt-2"> <div class="btn-group float-right"> <a href="endpoint/update_note.php?edit=<?php echo $noteID ?>"><button type="button" class="btn btn-sm btn-light" title="Show"><i class="fa fa-pencil"></i></button></a> <button onclick="delete_note(‘<?php echo $noteID ?>’)" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button> </div> <h3 style="text-transform:uppercase;"><b><?php echo $noteTitle ?></b></h3> <p class="note-content"><?php echo $noteContent ?></p> <small class="block text-muted text-info">Created: <i class="fa fa-clock-o text-info"></i> <?php echo $formattedDateTime ?></small> </li> <?php } ?> …

The following line of code is vulnerable

<p class="note-content"><?php echo $noteContent ?></p>

Here, the value of the $noteContent variable is output directly into the HTML. If this value contains user-entered data that is not properly filtered or escaped, then there is a risk of an XSS attack.

PoC

Attackers can insert JavaScript code into the content of a note. For example, they can create a note with the following content:

<script>alert('xss')</script>

When other users view this note, the above JavaScript code will run in their browsers.

This is a typical DOM-XSS vulnerability

The test results are as follows

Payload execution succeeded

DOM-XSS vulnerability confirmed

****CSRF (Cross-Site Request Forgery)** **

CSRF vulnerability exists in index.php and delete_note.php

Code Audit

… // Convert the date_time value to a formatted date and time string $formattedDateTime = date('F j, Y H:i A’, strtotime($noteDateTime)); ?> <li class="list-group-item mt-2"> <div class="btn-group float-right"> <a href="endpoint/update_note.php?edit=<?php echo $noteID ?>"><button type="button" class="btn btn-sm btn-light" title="Show"><i class="fa fa-pencil"></i></button></a> <button onclick="delete_note(‘<?php echo $noteID ?>’)" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button> </div> <h3 style="text-transform:uppercase;"><b><?php echo $noteTitle ?></b></h3> <p class="note-content"><?php echo $noteContent ?></p> <small class="block text-muted text-info">Created: <i class="fa fa-clock-o text-info"></i> <?php echo $formattedDateTime ?></small> </li> <?php } ?> …

The following code has security issues.

<button onclick="delete_note('<?php echo $noteID ?>')" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button>

Here, the application deletes notes through a simple GET request. This means that anyone who knows the correct URL can delete any note. If a logged-in user is tricked into accessing this URL, their note will be deleted.

This is a typical CSRF vulnerability

PoC

Attackers can create a seemingly harmless link and then lure users to click on this link. For example:

<a href="http://example.com/endpoint/delete_note.php?delete=21">test for csrf</a>

The user clicks on this link and it looks like this

If a logged-in user clicks on this link, their note will be deleted.

The note named “test” has been successfully deleted.

This can be confirmed as a CSRF vulnerability

投稿ナビゲーション