Headline

CVE-2022-42205: Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2 | Systems and Internet Security Lab

PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php.

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #windows #apple #linux #java #php #chrome #webkit

Stored Cross Site Scripting Vulnerabilities in Hospital Management System Gurukul v4.0 #2

Cross site scripting in Hospital Management System Gurukul v4.0 Heading link

Multiple stored cross site scripting vulnerabilities are present in Hospital Management System Gurukul v4.0

In the add-patient.php file, several POST parameters are directly used into the INSERT SQL query without any kind of escaping or sanitization.

  /\* ... \*/

if(isset($_POST[‘submit’])) { $docid=$_SESSION[‘id’]; $patname=$_POST[‘patname’]; $patcontact=$_POST[‘patcontact’]; $patemail=$_POST[‘patemail’]; $gender=$_POST[‘gender’]; $pataddress=$_POST[‘pataddress’]; $patage=$_POST[‘patage’]; $medhis=$_POST[‘medhis’]; $sql=mysqli_query($con,"insert into tblpatient(Docid,PatientName,PatientContno,PatientEmail,PatientGender,PatientAdd,PatientAge,PatientMedhis) values(‘$docid’,’$patname’,’$patcontact’,’$patemail’,’$gender’,’$pataddress’,’$patage’,’$medhis’)");

  /\* ... \*/

In the admin/manage-patients.php, doctor/manage-patient.php, doctor/view-patient.php, admin/view-patient.php and view-medhistory.php files, the data that was inserted by the above-mentioned query is retrieved from the database and added to the current page.

  /\* Example from doctor/view-patient.php\*/

$vid=$_GET[‘viewid’]; $ret=mysqli_query($con,"select * from tblpatient where ID=’$vid’"); $cnt=1; while ($row=mysqli_fetch_array($ret)) {

/\* ... \*/
echo $row\['PatientName'\];
/\* ... \*/
echo $row\['PatientEmail'\];
/\* ... \*/
echo $row\['PatientContno'\];
/\* ... \*/
echo $row\['PatientContno'\];
/\* ... \*/
echo $row\['PatientAdd'\];
/\* ... \*/
echo $row\['PatientGender'\];
/\* ... \*/
echo $row\['PatientMedhis'\];
/\* ... \*/
echo $row\['CreationDate'\];
/\* ... \*/

The vulnerable parameters through which the attack can be carried out are patname, patemail, gender, pataddress and medhis POST parameters.
The following is one of the possible exploitation using the medhis POST parameter.

POST /hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php HTTP/1.1 Host: localhost Content-Length: 180 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="105", “Not)A;Brand";v="8” sec-ch-ua-mobile: ?0 sec-ch-ua-platform: “Linux” Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/hospitalmanagementsystemproject4/hospital/hms/doctor/add-patient.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=lrqh66ialqjgfot5rcq90bnvjj Connection: close

patname=Name4&patcontact=3124432845&patemail=Name3%40mail.com&gender=male&pataddress=3021+Halsted+St%2C+Chicago&patage=40&medhis=[url-encoded-script]&submit=

An attacker can easily inject malicious Javascript into the database and steal session cookies from users and administrators.

These vulnerabilities were found using the NAVEX project developed at SISL lab in UIC.