Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)

Summary

Name	Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)
Code name	Carpenter
Product	Online Blood Donation Management System
Vendor	Projectworlds Pvt. Limited
Affected versions	Version 1.0
State	Public
Release date	2023-10-27

Vulnerabilities

Kind	Stored Cross-Site Scripting (XSS)
Rule	010. Stored cross-site scripting
Remote	Yes
CVSSv3 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSSv3 Base Score	6.1
Exploit available	Yes
CVE ID(s)	CVE-2023-44484

Description

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php response. The vulnerable code is:

users/register.php:

$firstName = $_POST['firstName']; $lastName = $_POST['lastName']; $email = $_POST['email']; $dob = $_POST['dob']; $gender = $_POST['gender']; $address = $_POST['address']; $city = $_POST['city']; $mobile = $_POST['mobile']; $bType = $_POST['blood_group']; require_once 'php/DBConnect.php'; $db = new DBConnect(); $flag = $db->registerUser($firstName, $lastName, $email, $dob, $gender, $bType, $address, $city, $mobile);

users/DBConnect.php:

public function registerUser($firstName,$lastName,$email,$dob,$gender,$b_type,$address,$city,$mobile){ $stmt = $this->db->prepare("INSERT INTO users (first_name,last_name,email,dob,gender,b_type,address,city,mobile) VALUES (?,?,?,?,?,?,?,?,?)"); $stmt->execute([$firstName,$lastName,$email,$dob,$gender,$b_type,$address,$city,$mobile]);
    return true;
}

users/member.php:

require_once 'php/DBConnect.php'; $db = new DBConnect(); $users = $db->getUsers(); ... <?php include 'layout/_member_layout.php'; ?>

layout/_member_layout.php:

<?php foreach($users as $u): $i++;?> <tr class="<?php if($i%2==0){echo $bg_background;}else{echo 'bg-danger';} ?>"> <td><?= $u['first_name']." ".$u['last_name']; ?></td> <td><?= $u['email']; ?></td> <td><?= $u['dob']; ?></td> <td><?= $u['gender']; ?></td> <td><?= $u['b_type']; ?></td> <td><?= wordwrap($u['address'], 26, '<br>'); ?></td> <td><?= $u['city']; ?></td> <td><?= $u['mobile']; ?></td> </tr>

Our security policy

We have reserved the ID CVE-2023-44484 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Online Blood Donation Management System v1.0
• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://projectworlds.in/

Timeline