CVE-2023-2055 - Cross-Site Scripting in Campcodes Advanced Online Voting System 1. Explained

A serious vulnerability, CVE-2023-2055, has been uncovered in the Campcodes Advanced Online Voting System version 1.. This vulnerability allows attackers to execute Cross-Site Scripting (XSS) attacks remotely by manipulating the title parameter in the /admin/config_save.php file. Understanding what this means and how it works is important for anyone running or maintaining this software. In this post, we'll break down the vulnerability, show you how it can be exploited, and offer some basic guidance to help prevent such attacks.

What is Cross-Site Scripting (XSS)?

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. XSS flaws occur when a web application includes untrusted data without proper validation or escaping, allowing attackers to execute malicious scripts in the browser of users. This can lead to stolen credentials, hijacked sessions, and much more.

About Campcodes Advanced Online Voting System

Campcodes Advanced Online Voting System is an open-source platform built using PHP and MySQL, designed to handle voting processes digitally. Version 1. is affected by this XSS vulnerability.

Vulnerability Details

- Vulnerability ID: CVE-2023-2055 / VDB-225940
- Affected File: /admin/config_save.php

Disclosure status: Publicly disclosed

According to VDB-225940, the vulnerability is due to improper sanitization of the title parameter in the admin configuration section. When an attacker submits a specially crafted payload to the title field, the script is saved and later served to admins or users, which can then be executed in their browser.

Location in Code

The vulnerable code is found in the /admin/config_save.php file, which handles saving configuration items such as the site title.

Here’s a simplified (illustrative) code snippet of what might be happening inside

<?php
// Get the title parameter from POST request
$title = $_POST['title'];

// Save the title directly (VULNERABLE)
file_put_contents('config_data.txt', "Title: " . $title);

// Later, this title is echoed in admin dashboard
echo "<h1>" . $title . "</h1>";
?>

The problem: There is no filtering, escaping, or sanitization of the input.

An attacker can craft a malicious input such as

"><script>alert('XSS')</script>

It's stored directly in the configuration file.

- When an admin or user visits a page that displays the title, their browser executes the attacker’s script.

Result: The attacker’s JavaScript runs in the admin’s browser. This could be anything from showing a popup (as in the example above) to stealing session cookies or performing actions on behalf of the admin.

Here’s how the attacker could automate the exploit with a simple curl command

curl -X POST \
  -d "title=%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E" \
  http://target-site.com/admin/config_save.php

Official References

- CVE-2023-2055 on VulDB (VDB-225940)
- Campcodes Advanced Online Voting System
- OWASP XSS Cheat Sheet

How to Fix

#### The best way to fix this issue is to sanitize and escape user input. Here’s an improved code snippet:

<?php
// Get the title parameter from POST request
$title = htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');

// Now save and display are both safe
file_put_contents('config_data.txt', "Title: " . $title);
echo "<h1>" . $title . "</h1>";
?>

- htmlspecialchars() converts special characters to HTML entities, making it safe to display in the browser.

Conclusion

CVE-2023-2055 is a clear example of how missing input validation and sanitization can put web applications at risk. If you run Campcodes Advanced Online Voting System 1., consider patching the code as shown above, and check your application for other points where user input is processed without validation. Always stay up to date with security advisories for the software you use.

Stay safe and keep your code secure!

Disclaimer: This post is for educational purposes only. Don't use this information to attack systems without authorization. Always test only in your own environment or with explicit permission.


*If you need more help securing your online voting system, OWASP's XSS Prevention Cheat Sheet is a great place to start.*

Timeline

Published on: 04/14/2023 13:15:00 UTC
Last modified on: 04/22/2023 02:13:00 UTC