CVE-2023-38971 - Exploiting a Persistent Cross-Site Scripting Vulnerability in Badaso v..1 to v2.9.7

Published: June 2024

Author: [Your Name]

Badaso is a popular Laravel-based open source admin panel platform. However, versions from ..1 through 2.9.7 were found to contain a persistent Cross-Site Scripting (XSS) vulnerability, officially tracked as CVE-2023-38971. In this article, I’ll break down what this bug is, how it works, show you a working exploit, and explain how to mitigate it.

What Is CVE-2023-38971?

CVE-2023-38971 is a web security issue where an attacker can inject malicious JavaScript code into the rack number parameter while using the “Add New Rack” feature in Badaso. This code then gets stored on the server and is executed every time any user views the page containing the crafted input - classic _stored XSS_.

Affected Versions: ..1 up to and including 2.9.7

This creates a risk that an attacker could hijack sessions, steal user data, or run any action a privileged user could do in their browser.

Technical Details (With Code Snippet)

Suppose you have access to the Badaso admin interface. On the sidebar, under Data Center Management, there’s a section to manage racks. Here, you can add a new rack, filling in details like “Rack Name,” “Rack Number,” and so on.

The trouble is, the application does not sanitize the rack_number input prior to saving it to the database or rendering it on the racks listing page.

> Original disclosure:
> See the GitHub advisory and CVE page.

Let’s say the form for “Add New Rack” looks like this in the frontend

<form method="POST" action="/admin/rack/add">
  <!-- ... -->
  <label for="rack_number">Rack Number</label>
  <input type="text" name="rack_number" />
  <!-- ... -->
  <button type="submit">Add Rack</button>
</form>

If you enter the following as the Rack Number

"><script>alert('XSS!')</script>

It gets submitted to the server, stored in the database as part of the rack record, and rendered unsafely in the racks listing page for all admins.

Here’s a simplified snippet illustrating the risk

// Pseudo-code inside Badaso Rack Controller

// Adding a new rack
$rackNumber = $_POST['rack_number']; // NO sanitization here!
$insertQuery = "INSERT INTO racks (rack_number) VALUES ('$rackNumber')";
mysqli_query($db, $insertQuery);

// Later, listing racks
echo "<td>{$row['rack_number']}</td>"; // Outputting unsanitized user input!

This code will output whatever the user entered right into the HTML, unescaped.

Exploit Walkthrough

Step 1. Attacker logs in with their own low-privilege account or leverages CSRF/social engineering.

Step 2. In the “Add New Rack” form, enters the following in the “Rack Number” field

"><img src=x onerror=alert('XSS')>

Step 3. The app saves the value as-is into the database.

Step 4. Any user (including an admin) who later views the racks management page sees the injected tag. The attacker’s JavaScript runs in their browser, potentially exfiltrating session cookies or issuing malicious actions.

Proof of Concept (PoC) Video

If you’re curious, this YouTube Proof-of-Concept demonstrates a similar XSS attack.

Account Takeover: A malicious script can steal admin cookies and hijack sessions.

2. Worming: The script could auto-create more infected “racks,” spreading the attack internally.

Data Exfiltration: The attacker can upload private data from affected users’ machines.

4. Full System Compromise: If the admin’s session is hijacked, the attacker may fully control your Badaso installation.

Mitigation and Fix

The bug is fixed in Badaso v2.9.8+ by sanitizing and escaping user inputs, especially on render.

Review server logs for suspicious activity in the “add rack” pages.

- Ensure your web application filters, escapes, or sanitizes ALL user input/output.

If you cannot upgrade for some reason, add escaping to your output code

// Instead of this
echo "<td>{$rack_number}</td>";

// Use this
echo "<td>" . htmlspecialchars($rack_number, ENT_QUOTES, 'UTF-8') . "</td>";

Best Practices

- Always escape output: Use framework functions like htmlspecialchars() in PHP or Blade {{ }} in Laravel.

References & Further Reading

- Badaso official repo
- CVE-2023-38971 on NVD
- GitHub Security Advisory
- Understanding XSS

Conclusion

CVE-2023-38971 is a classic reminder of how crucial it is to treat every bit of user input as *dangerous by default*. For anyone running Badaso versions earlier than 2.9.8, patch as soon as possible — and review your code for similar issues elsewhere!

Stay safe & sanitize everything.

*If you found this post helpful, share it with your team and subscribe for more hands-on security breakdowns.*

Timeline

Published on: 08/29/2023 22:15:08 UTC
Last modified on: 08/31/2023 18:21:44 UTC