Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting

Exploit Author: Shubham Pandey Analysis Author: www.bubbleslearn.ir Category: Remote Language: PHP Published Date: 2024-03-03 
# Exploit Title: Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting
# Date: 01-03-2024
# Exploit Author: Shubham Pandey
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: 1.0
# Tested on: Windows, Linux
# CVE : CVE-2024-27743
# Description: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the Address parameter in the add_invoices.php component.
# POC:
1. Here we go to : http://localhost/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and
Password=admin
3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"
4. Fill the payload "<script>alert(0)</script>" in "Address" field
5. Stored XSS will be present in "
http://localhost/fuelflow/admin/manage_invoices.php" page
# Reference:
https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.md


Petrol Pump Management Software v1.0 — Stored Cross‑Site Scripting in "Address" Field (CVE-2024-27743)

Summary

Petrol Pump Management Software v1.0 contains a stored Cross‑Site Scripting (XSS) weakness where user-supplied text from an "Address" input is persisted and later rendered in an administrative invoice listing page without proper encoding. This allows an attacker who can submit invoice data to cause arbitrary script execution in the browsers of users who view the affected page. The issue is tracked as CVE-2024-27743.

Why this matters

Stored XSS is particularly dangerous because malicious content is saved on the server and served to multiple users later. Successful exploitation can lead to session theft, account takeover, persistent defacement, malicious redirects, or second‑stage attacks against site administrators.

Vulnerability snapshot

Item Details
Vulnerability class Stored Cross‑Site Scripting (XSS)
Affected product Petrol Pump Management Software v1.0
CVE CVE-2024-27743
Root cause Untrusted input persisted and rendered without context‑appropriate encoding
Primary mitigation Output encoding, input validation, and Content Security Policy

Technical description (high level)

When applications accept free‑text fields (like an address) and later include those values inside HTML pages, they must ensure that content is either safely encoded for the output context (HTML text, attribute, JavaScript, CSS, URL) or reduced to a safe subset. In this case, data stored from the address field is rendered into an admin page as part of the HTML document without proper escaping, enabling execution of injected scripts in viewers' browsers.

Reproduction (overview)

A reproduced case showed that input placed into the address field was stored by the application and later displayed on an invoice management page. Because the application emitted the stored content straight into the HTML page, a crafted input containing script content could execute in the context of an administrator’s browser. (This section purposefully describes the general pattern and not step‑by‑step exploit payloads.)

Secure coding remediation (PHP examples)

Below are safe coding patterns to prevent stored XSS in typical PHP applications. The core principle: encode on output, validate on input, and use a library for safe HTML if HTML must be allowed.

// Insecure pattern (example):
// value is read from the database and printed directly into the page
echo $invoice['address'];

Explanation: This prints untrusted data directly into the HTML document. If the stored value contains scriptable content, it will execute in the browser.

// Recommended safe pattern — context‑aware HTML encoding:
$safe_address = htmlspecialchars($invoice['address'], ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
echo $safe_address;

Explanation: htmlspecialchars converts special characters (&, <, >, ", ') so content is treated as text in the HTML body instead of as markup or script. ENT_SUBSTITUTE prevents invalid UTF‑8 from causing encoding issues. Always specify UTF‑8 when dealing with Unicode input.

// If limited HTML must be allowed, use a vetted sanitizer (example: HTMLPurifier)
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,br,strong,em,a[href]');
$purifier = new HTMLPurifier($config);
$clean_address = $purifier->purify($invoice['address']);
echo $clean_address;

Explanation: If your business requirement permits a subset of HTML (for example line breaks or basic formatting), use a well‑maintained sanitizer like HTMLPurifier to remove dangerous tags and attributes rather than attempting ad‑hoc filtering.

Additional defensive controls

  • Content Security Policy (CSP): Add a restrictive CSP to reduce the impact of successful XSS, for example limiting script sources to the same origin and using nonces for inline scripts. Example header: Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
  • HttpOnly and Secure cookies: Mark session cookies HttpOnly and Secure so they cannot be read by JavaScript and are only transmitted over HTTPS.
  • Input validation: Enforce length limits and character sets appropriate to the field (e.g., allow only expected characters for addresses, while being careful not to over‑restrict useful international input).
  • Output encoding libraries: Use framework or language-native encoding helpers that are context aware (HTML, attribute, JavaScript, URL, CSS) rather than a one‑size approach.
  • Web Application Firewall (WAF): Use a WAF for additional filtering and to block known attack patterns as an interim mitigation until code is patched.

Testing and detection

  • Perform code review to identify locations where stored data is interpolated into HTML pages without encoding.
  • Use automated SAST/DAST tools that detect XSS sink patterns and stored injection flows.
  • Manually inspect pages that display user‑supplied content (comments, addresses, descriptions) and verify that special characters are safely encoded in the delivered HTML.
  • Review server and access logs for suspicious submissions and repeated posting patterns that may indicate attempted stored payloads.

Mitigation and incident response for administrators

  • Apply vendor patches or updated code as soon as a fix is available.
  • Identify and remediate any malicious records in the database by removing or cleaning stored values that contain script content.
  • Invalidate sessions for administrative accounts if exploitation is suspected and require password resets for affected users.
  • Enable HTTPS, secure cookie flags, and a CSP to reduce additional attack surface.
  • Monitor error and access logs for anomalies after remediation to ensure no follow‑up activity.

Responsible disclosure and references

This issue was publicly recorded as CVE-2024-27743. For vendor information and official patches, consult the software vendor or the original distribution point for the application. For general XSS mitigation guidance, see OWASP resources on Cross‑Site Scripting and secure output encoding.

  • OWASP XSS Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XSS_Prevention_Cheat_Sheet.html
  • NVD / CVE lookup: search for CVE-2024-27743 on official CVE/NVD portals

Developer checklist to prevent stored XSS

  • Encode all untrusted data at the point of output using the encoding appropriate to the context.
  • Prefer output encoding over input filtering as the primary defence.
  • Use secure libraries (HTMLPurifier, templating engines that auto‑escape) and avoid manual string concatenation into HTML.
  • Limit privileges: minimize which users can create content that appears in administrative views.
  • Adopt automated security testing and include XSS checks in the CI/CD pipeline.