A stored cross-site scripting (XSS) vulnerability has been discovered in the Edit Category function of Badaso v2.9.7. The vendor has identified this issue, and it has been assigned the CVE identifier CVE-2023-38974. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter of the Edit Category feature. This post will cover the details of this vulnerability, including code snippets, original references, and exploit details.

Details

The Edit Category function is vulnerable to a stored XSS attack via the Title parameter. An attacker can craft a malicious payload and submit it into the Title field when editing a category. Once the changes are saved, the stored payload will execute every time the edited category is displayed or accessed.

Here's a simple example of a payload that can exploit this vulnerability

<script>alert('XSS');</script>

When this payload is injected into the Title field and the category is edited, the HTML containing the script is stored in the database. When users navigate to a page displaying the category, the payload is executed, resulting in an "XSS" alert being shown.

This vulnerability can be exploited to perform various malicious actions, such as stealing session cookies, redirecting users to phishing sites, delivering malware, defacing websites, or performing unauthorized actions from the user's account.

A possible vulnerable code snippet within the Badaso Edit Category function could look like this

$title = $_POST['title'];
$sql = "UPDATE categories SET title = '$title' WHERE id = '$category_id'";
$result = mysqli_query($conn, $sql);

In the above code snippet, the user-supplied input is not being properly sanitized or validated before being stored in the database, leading to a stored XSS vulnerability.

To fix this vulnerability, the developer should ensure that user input is validated and sanitized before being used in any updates or database queries. One way of doing this is by using htmlspecialchars() function, as shown below:

$title = htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');
$sql = "UPDATE categories SET title = '$title' WHERE id = '$category_id'";
$result = mysqli_query($conn, $sql);

Original References

- Badaso v2.9.7 GitHub Repository: https://github.com/uasoft-indonesia/badaso
- CVE-2023-38974: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38974

3. Craft a malicious payload, such as <script>alert('XSS');</script>.

Save the changes to the category.

6. Now, whenever a user accesses the edited category or a page displaying the category, the attacker's payload will execute.

Conclusion

The stored XSS vulnerability in the Edit Category function of Badaso v2.9.7 (CVE-2023-38974) has been detailed in this post, along with code snippets and exploitation steps. It is crucial for developers to be aware of such vulnerabilities in their web applications and take the necessary precautions, including validating and sanitizing user inputs, to prevent any potential security breaches.

Timeline

Published on: 08/25/2023 01:15:08 UTC
Last modified on: 08/29/2023 16:05:48 UTC