Customer Support System 1.0 - Stored XSS

Exploit Author: Geraldo Alcantara Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2024-07-01

# Exploit Title:  Customer Support System 1.0 - (XSS) Cross-Site
Scripting Vulnerability in the "subject" at "ticket_list"
# Date: 28/11/2023
# Exploit Author: Geraldo Alcantara
# Vendor Homepage:
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-49976
*Steps to reproduce:*
1- Log in to the application.
2- Visit the ticket creation/editing page.
3- Create/Edit a ticket and insert the malicious payload into the
"subject" field/parameter.
Payload: <dt/><b/><script>alert(document.domain)</script>

Customer Support System 1.0 — Stored XSS (CVE-2023-49976)

Overview

Customer Support System 1.0 (PHP/MySQLi) contains a stored Cross‑Site Scripting (XSS) vulnerability in the ticket "subject" field. The vulnerability allows an attacker who can create or edit tickets to inject HTML/JavaScript that will be stored in the database and executed in other users' browsers when they view the ticket list or ticket details.

Key facts

Vulnerability type: Stored XSS (persistent)
Affected component: ticket subject rendering (ticket_list / ticket view)
CVE: CVE-2023-49976
Exploit context: attacker submits JavaScript via the subject field; stored payload executes in victims' browser when viewing the page
Impact: session theft, CSRF via JavaScript, account takeover, defacement, data exfiltration depending on privilege/context

Vulnerability details and root cause

Stored XSS occurs when untrusted user input is persisted and later rendered into a page without proper encoding or sanitization. In this application the ticket subject is accepted and stored into the database, then printed directly into HTML output. When that output is not contextually encoded, an attacker-supplied script will run in the context of the vulnerable site.

Example payload (reported)

One reported payload used in testing:

<dt/><b/><script>alert(document.domain)</script>

This payload demonstrates script execution in a victim's browser; real attacks can use more harmful JavaScript.

Simple Proof-of-Concept (high level)

Log in as a user who can create or edit tickets.
Insert a JavaScript payload into the "subject" field and save the ticket.
When another user or the same user views the ticket list or the ticket details that render the subject, the injected script runs.

Typical vulnerable code pattern (PHP)

<!-- Vulnerable: prints subject directly into HTML -->
<td><?php echo $ticket['subject']; ?></td>

Explanation: This code outputs raw data from the database directly into an HTML page. If the stored value contains HTML or JavaScript, the browser will parse and execute it. This is the classic stored XSS scenario.

Recommended fix — context‑aware output encoding

The primary fix for XSS is to treat all untrusted data as potentially hazardous and encode it appropriately when rendering. For HTML element content, use htmlspecialchars with ENT_QUOTES and UTF-8:

<!-- Safe: encode before outputting -->
<td><?php echo htmlspecialchars($ticket['subject'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ?></td>

Explanation: htmlspecialchars converts characters like &, <, >, and quotes into HTML entities (&, <, >, ") so the browser renders them as text rather than interpreting them as markup or script. ENT_SUBSTITUTE helps handle invalid byte sequences safely.

Context-specific encoding examples

HTML element body (above): use htmlspecialchars.
HTML attribute: use htmlspecialchars and ensure proper quoting of attributes.
JavaScript context: use JSON encoding (json_encode in PHP) to embed strings safely.
CSS or URL contexts: use a strict whitelist or specialized encoders.

Example — safe embedding in an attribute

<!-- Example: placing subject in a data attribute -->
<div data-subject="<?php echo htmlspecialchars($ticket['subject'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ?>">...</div>

Explanation: Using htmlspecialchars with ENT_QUOTES also encodes single and double quotes, avoiding attribute-breaking injection. Always wrap the attribute in quotes.

Additional mitigation measures

Input validation: perform light validation (length limits, disallow control characters). Do not rely solely on input filtering for XSS—encoding on output is mandatory.
Sanitization for rich text: if you must accept HTML (WYSIWYG), use a well-maintained HTML sanitizer (e.g., HTMLPurifier for PHP) with a strict whitelist of tags/attributes.
Content Security Policy (CSP): deploy a strong CSP to limit inline script execution and restrict allowed script sources. Example: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
HTTPOnly and Secure cookies: mark cookies HttpOnly and Secure to reduce impact of stolen cookies.
Escape for JS contexts: when inserting values into inline scripts, use json_encode to safely serialize.

Example — CSP header in PHP

<?php
// Strong CSP example (adjust sources as needed)
header(\"Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';\");
?>

Explanation: The header restricts where content can be loaded from and blocks inline scripts if 'unsafe-inline' is not present. CSP is defense-in-depth and not a replacement for proper encoding.

Example — using JSON encoding for inline JS

<script>
  // Safely embed a server-side string into JavaScript
  var subject = <?php echo json_encode($ticket['subject'], JSON_UNESCAPED_UNICODE); ?>;
  console.log(subject);
</script>

Explanation: json_encode serializes a PHP string into a JS string literal with proper escaping, preventing injection when the data is used inside a script context.

Testing and detection

Automated scanners: run contemporary SAST/DAST tools and XSS-specific scanners against ticket creation and listing endpoints.
Manual testing: try injecting benign payloads (e.g., <script>alert(1)</script>) into inputs and inspect rendered pages with view-source and browser dev tools.
Code review: search for output echoing user-supplied data without encoding.

Hardening and development best practices

Adopt a "encode on output" policy: never assume stored data is safe; encode it for the context in which it will be used.
Use frameworks' templating systems that auto-escape output when possible.
Document input and output contexts for each API or template and enforce context-appropriate encoding.
Keep third-party libraries (HTML sanitizers, frameworks) up-to-date and use maintained libraries for rich text input.

Detection & remediation checklist for administrators

Task	Notes
Identify stored XSS occurrences	Search DB fields for common XSS payload markers (e.g., <script>, onerror=, <img, <svg>).
Patch code	Apply output encoding changes in all templates and endpoints that render user input.
Sanitize existing records	If necessary, sanitize or encode existing DB records using a safe approach (prefer encoding on read, or sanitize with a vetted library).
Deploy CSP and cookie flags	Add strict CSP, and set cookies to HttpOnly and Secure.
Retest	Perform regression tests and confirm the vulnerability is fixed in staging before pushing to production.

Developer checklist — practical rules

Always escape with the correct function for the output context (HTML, attribute, JS, CSS, URL).
Prefer server-side encoding; client-side escaping is supplementary.
Limit input length and use allowlists for structured inputs (e.g., email, numeric IDs).
For stored content that must accept HTML, sanitize aggressively with well-reviewed libraries.

References

Vendor / source code listing: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
Exploit advisory and test details: CVE-2023-49976 (refer to vendor/security advisory for timeline)
OWASP XSS Prevention Cheat Sheet — practical encoding rules