CVE-2022-3716 - Cross-Site Scripting Vulnerability in SourceCodester Online Medicine Ordering System 1.

In this article, we dive into the details of CVE-2022-3716, a cross-site scripting (XSS) vulnerability in the SourceCodester Online Medicine Ordering System, version 1.. We will break down what the vulnerability is, how it can be exploited, and what can be done to secure your application. If you're running this software, or just want to learn about web security, stick around for exclusive insights and hands-on code examples.

What Is CVE-2022-3716?

This CVE relates to a security flaw in the Online Medicine Ordering System developed by SourceCodester. The vulnerability has an associated database identifier: VDB-212347.

Vulnerable File and Parameters

- File: /omos/admin/?page=user/list

Last Name

Any one of these inputs can be exploited by an attacker to inject malicious JavaScript code. This happens because the application does not properly sanitize user input before rendering it on admin pages.

How Does the Vulnerability Work?

Cross-site scripting (XSS) occurs when an application includes untrusted data in a web page without proper escaping or encoding. This opens the door for attackers to execute scripts in the context of another user's browser session.

These fields are displayed on the user list page without encoding.

3. Any admin or user visiting the /omos/admin/?page=user/list page unknowingly runs the attacker's code.

Step 1: Insert Malicious Input

Log in to the application and access the user registration or edit profile form. In the "First Name" field, enter:

<script>alert('XSS!')</script>

- Middle/Last Name fields are equally vulnerable.

Now, visit (or have an admin visit)

http://your-server/omos/admin/?page=user/list

Once the user list is loaded, the alert pops up, showing the injected script is executed.

Sample Attack Scenario

POST /omos/admin/?page=user/add HTTP/1.1
...
First Name=<script>alert('XSS')</script>
Middle Name=John
Last Name=Doe

!Fake form with malicious payload example

Here’s a simple code snippet to sanitize input using PHP

function sanitize($input) {
    return htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
}

// When displaying user data:
echo sanitize($user['First Name']);

References and Further Reading

- Vuldb Advisory for CVE-2022-3716 / VDB-212347
- OWASP Cross Site Scripting (XSS) Page
- Original SourceCodester Project

Final Thoughts

CVE-2022-3716 is a classic example of why validation and encoding are critical in web applications. Attackers can exploit even simple forms to compromise systems, so take steps to audit and sanitize all fields, especially when using open-source software.

If you're running SourceCodester’s Online Medicine Ordering System, review your codebase for unescaped output, follow secure coding guidelines, and apply the fixes immediately.

Do you have questions about secure PHP coding or need help patching your system? Drop a comment below! Stay secure!

Timeline

Published on: 10/27/2022 10:15:00 UTC
Last modified on: 10/28/2022 18:29:00 UTC