Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)
# Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)
# Date of found: 12/05/2023
# Exploit Author: VIVEK CHOUDHARY @sudovivek
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/
# CVE: CVE-2023-33580
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580
Vulnerability Description -
The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.
Steps to Reproduce -
The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:
1. Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.
2. Click on the "Admin" button to navigate to the admin login page.
3. Login to the Admin account using the default credentials.
- Username: admin
- Password: Test@123
4. Proceed to the Admin Profile page.
5. Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.
6. Click on the "Submit" button.
7. Refresh the page, and the injected payload will be executed.
As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.Student Study Center Management System v1.0 – Stored Cross-Site Scripting (XSS) Vulnerability Analysis
Security vulnerabilities in web applications can have far-reaching consequences, especially when they involve persistent threats like Stored Cross-Site Scripting (XSS). The Student Study Center Management System v1.0, developed by PHPGurukul, has been identified as vulnerable to a critical XSS flaw, which has been assigned the CVE identifier CVE-2023-33580. This vulnerability allows attackers to inject malicious JavaScript code that is stored in the application’s database and executed whenever a user accesses the affected page.
Understanding Stored XSS: The Persistent Threat
Unlike Reflected XSS, where the malicious script is delivered via a URL and executed only once, Stored XSS persists in the application's backend. The injected code is saved in the database, meaning it will be served to every user who visits the page—potentially compromising the entire user base.
For example, if an attacker alters the Admin Name field with a malicious script, that script becomes part of the application’s data. When any user—admin or regular—views the profile page, the script executes in their browser, bypassing the security of their environment.
Exploitation Scenario: Step-by-Step Breakdown
Let’s walk through the real-world exploitation process of this vulnerability:
- Step 1: Access the application at
http://localhost/student-study-center-MS-PHP/sscms/index.php. - Step 2: Navigate to the Admin login page.
- Step 3: Log in using default credentials:
- Username:
admin - Password:
Test@123
- Username:
- Step 4: Access the Admin Profile page.
- Step 5: Inject the payload:
{">alert("XSS")}into the Admin Name field. - Step 6: Submit the form.
- Step 7: Refresh the page—the alert pops up.
This demonstrates that the malicious script was stored and executed without requiring the attacker to be present during the user’s visit.
Technical Root Cause: Inadequate Input Sanitization
The core issue lies in the application’s failure to sanitize user input before storing it in the database. Specifically, the Admin Name field accepts arbitrary text without filtering for HTML or JavaScript characters.
Consider the following vulnerable code snippet (hypothetical representation based on the system’s structure):
// Vulnerable code: No input validation or sanitization
$admin_name = $_POST['admin_name'];
$query = "INSERT INTO admin_profile (name) VALUES ('$admin_name')";
mysqli_query($conn, $query);
Explanation: This code directly uses user input in a SQL query without escaping or sanitizing. If the input contains <script> tags, they are stored as-is in the database. When the profile page renders the name, the script is included in the HTML output, leading to execution.
Why this is dangerous: The lack of proper sanitization allows attackers to inject scripts that can steal cookies, redirect users to phishing sites, or perform actions on behalf of the user—without their consent.
Security Best Practices to Prevent Stored XSS
To prevent such vulnerabilities, developers must implement robust input validation and output encoding. Here’s how to fix the flaw:
// Corrected code: Sanitization and encoding
$admin_name = htmlspecialchars($_POST['admin_name'], ENT_QUOTES, 'UTF-8');
$query = "INSERT INTO admin_profile (name) VALUES (?)";
$stmt = mysqli_prepare($conn, $query);
mysqli_stmt_bind_param($stmt, "s", $admin_name);
mysqli_stmt_execute($stmt);
Explanation: The htmlspecialchars() function converts special characters like < and > into their HTML-safe equivalents (e.g., <). This prevents script tags from being interpreted by the browser. Additionally, using prepared statements with parameterized queries avoids SQL injection risks.
Real-World Impact and Mitigation
Stored XSS vulnerabilities can lead to:
- Cookies theft: Malicious scripts can read and send session cookies to remote servers.
- Phishing attacks: Injected scripts can redirect users to fake login pages.
- Defacement: Unauthorized content can be displayed on public pages.
- Privilege escalation: If the script accesses admin functions, it can compromise the entire system.
For the Student Study Center Management System v1.0, the risk is amplified because the admin profile is accessible to all authenticated users. Even a single compromised admin name can expose the entire platform to attack.
Recommendations for Developers and Users
| Recommendation | Implementation |
|---|---|
| Input Sanitization | Use htmlspecialchars() or similar functions before storing data. |
| Output Encoding | Always encode data when rendering in HTML contexts. |
| Use Prepared Statements | Prevent SQL injection by parameterizing queries. |
| Content Security Policy (CSP) | Implement CSP headers to restrict script execution. |
| Regular Security Audits | Conduct penetration testing and code reviews. |
For users of the Student Study Center Management System, it is crucial to:
- Update to the latest version if available.
- Verify that admin and user roles are properly restricted.
- Monitor for unexpected behavior on profile pages.
Conclusion: A Wake-Up Call for Secure Development
The CVE-2023-33580 vulnerability in the Student Study Center Management System v1.0 serves as a stark reminder: even seemingly simple fields like Admin Name can become attack vectors if not properly secured. As web applications grow in complexity, developers must prioritize security at every stage—from input validation to output rendering.
Stored XSS is not just a theoretical risk; it’s a real, exploitable threat that can compromise entire systems. By adopting defensive coding practices and continuous security testing, developers can prevent such vulnerabilities from ever reaching production.