Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)

Summary

Name	Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)
Code name	Carpenter
Product	Online Blood Donation Management System
Vendor	Projectworlds Pvt. Limited
Affected versions	Version 1.0
State	Public
Release date	2023-10-27

Vulnerabilities

Kind	Stored Cross-Site Scripting (XSS)
Rule	010. Stored cross-site scripting
Remote	Yes
CVSSv3 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score	6.1
Exploit available	Yes
CVE ID(s)	CVE-2023-44484

Description

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php response. The vulnerable code is:

users/register.php:

$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$email = $_POST['email'];
$dob = $_POST['dob'];
$gender = $_POST['gender'];
$address = $_POST['address'];
$city = $_POST['city'];
$mobile = $_POST['mobile'];
$bType = $_POST['blood_group'];

require_once 'php/DBConnect.php';
$db = new DBConnect();
$flag = $db->registerUser($firstName, $lastName, $email, $dob, $gender, $bType, $address, $city, $mobile);

users/DBConnect.php:

public function registerUser($firstName,$lastName,$email,$dob,$gender,$b_type,$address,$city,$mobile){
 $stmt = $this->db->prepare("INSERT INTO users (first_name,last_name,email,dob,gender,b_type,address,city,mobile) VALUES (?,?,?,?,?,?,?,?,?)");
 $stmt->execute([$firstName,$lastName,$email,$dob,$gender,$b_type,$address,$city,$mobile]);
    return true;
}

users/member.php:

require_once 'php/DBConnect.php';
$db = new DBConnect();
$users = $db->getUsers();
...
<?php include 'layout/_member_layout.php'; ?>

layout/_member_layout.php:

<?php foreach($users as $u): $i++;?>
<tr class="<?php if($i%2==0){echo $bg_background;}else{echo 'bg-danger';} ?>">
 <td><?= $u['first_name']." ".$u['last_name']; ?></td>
 <td><?= $u['email']; ?></td>
 <td><?= $u['dob']; ?></td>
 <td><?= $u['gender']; ?></td>
 <td><?= $u['b_type']; ?></td>
 <td><?= wordwrap($u['address'], 26, '<br>'); ?></td>
 <td><?= $u['city']; ?></td>
 <td><?= $u['mobile']; ?></td>
</tr>

Our security policy

We have reserved the ID CVE-2023-44484 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Online Blood Donation Management System v1.0
• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://projectworlds.in/

Timeline