CVE-2022-42187: Hustoj 22.09.22 XSS Vulnerability in /admin/problem_judge.php Exploitation Details and Mitigation

CVE-2022-42187 is a recently discovered Cross-Site Scripting (XSS) vulnerability found in the Hustoj 22.09.22 online judge platform's /admin/problem_judge.php file. XSS vulnerabilities are typically exploited by malicious actors to execute arbitrary scripts in the context of a user's browser, leading to a range of possible consequences such as compromised accounts, stolen credentials, or defaced webpages. In this post, we provide an in-depth analysis of the CVE-2022-42187 vulnerability, including code snippets, detailed explanations, and steps to mitigate the issue.

Detailed Exploitation

The vulnerability lies in the /admin/problem_judge.php file, where unvalidated and unsanitized user inputs are directly rendered in the responses, allowing the attacker to inject arbitrary JavaScript code. Here is a code snippet that demonstrates the problematic code:

// File: /admin/problem_judge.php

// ...

echo "<tr>
        <td>
          <input type=checkbox name='pid[]' value='$row[]' ".
          ($_COOKIE["printer"]=="$"?"disabled":"").
          ">"."</td>
        <td>$row[]</td>
        <td><a href='../problem.php?id=$row[]'>$row[1]</a></td>
        <td>$row[2]</td>
        <td><span id=res$row[]></span></td>
        <td>".$row[3]."</td>
      </tr>";

As seen in the above snippet, the variable $row is directly used in the echo statement without any validation or sanitization. An attacker can exploit this issue by crafting a malicious URL that contains JavaScript code, which is then fetched by the application and rendered in the browser. The following is an example of a malicious URL exploiting this vulnerability:

http://example.com/admin/problem_judge.php?pid[]=<script>alert('XSS')</script>;

When a legitimate user visits this malicious URL, the JavaScript code is executed in their browser, leading to the various consequences mentioned earlier.

Original References and Acknowledgments

- CVE MITRE page
- National Vulnerability Database (NVD) page
- Vulnerability reported by GitHub user

Mitigation Steps

To protect yourself from this vulnerability, it's crucial to apply proper input validation and sanitization measures before using user inputs in code. In the vulnerable file, you can apply the htmlspecialchars() function to sanitize the variables before echoing them in the responses. Here's an example of the updated and secure code:

// File: /admin/problem_judge.php

// ...

// Sanitize user input
$safe_row = array_map('htmlspecialchars', $row);

echo "<tr>
        <td>
          <input type=checkbox name='pid[]' value='{$safe_row[]}' ".
          ($_COOKIE["printer"]=="$"?"disabled":"").
          ">"."</td>
        <td>{$safe_row[]}</td>
        <td><a href='../problem.php?id={$safe_row[]}'>{$safe_row[1]}</a></td>
        <td>{$safe_row[2]}</td>
        <td><span id=res{$safe_row[]}></span></td>
        <td>".$safe_row[3]."</td>
      </tr>";

With this change, the application is now protected from CVE-2022-42187 and will no longer execute arbitrary JavaScript code from user inputs. Also, make sure to always keep your software up-to-date, as the developers may release a patch that addresses this vulnerability in the future.

Conclusion

CVE-2022-42187 is a significant Cross-Site Scripting vulnerability in the Hustoj 22.09.22 online judge platform, which allows attackers to execute arbitrary scripts and potentially compromise user accounts or steal credentials. By following the detailed exploitation explanation, code snippets, and mitigation steps provided in this post, you can effectively protect your application from this vulnerability and ensure a safer online experience for your users.

Timeline

Published on: 11/17/2022 04:15:00 UTC
Last modified on: 11/17/2022 23:24:00 UTC