XSS vulnerability from Sourcecodester Lead Manager Tool 1.0 (update-leads.php)
CVE-2024-7942
A vulnerability has been found in SourceCodester Leads Manager Tool 1.0 and classified as problematic. This vulnerability affects unknown code of the file update-leads.php. The manipulation of the argument phone_number leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Affected Project: Lead Manager Tool 1.0
Official Website: https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html
Version: 1.0
Related Code file: update-leads.php
Injection parameter: phone_number
Vulnerability Description
The phone_number parameter is vulnerable to the tested XSS payload: %3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e. This string is encoded and when decoded, it attempts to inject a script into the webpage:
<IMG """"><SCRIPT>alert("XSS")</SCRIPT>">
Application does not properly sanitize or validate the phone_number input, this script could be executed in the user’s browser, leading to an XSS attack.
Analysis
echo "
<script>
alert('Leads Update Successfully');
window.location.href = 'http://localhost/leads-manager-tool/';
</script>
";
In this block, user input is not directly used, but if there were any dynamic content being output within this <script> tag based on user input, it would be a point of XSS.
Demonstration
Below is how Leads Manager Tool looks like:
We can update leads as such:
Intercept the update(leads-update.php) traffic using Burp Suite and inject the following payload:
%3cIMG%20%22%22%22%3e%3cSCRIPT%3ealert(%22XSS%22)%3c%2fSCRIPT%3e%22%3e
Payload used above is HTML encoded and decodes as <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
Upon sending the modifying traffic containing XSS payload, we can verify the vulnerability: