CVE-2024-33303
📋 TL;DR
SourceCodester Product Show Room 1.0 contains a stored cross-site scripting (XSS) vulnerability in the 'First Name' field when adding users. This allows attackers to inject malicious scripts that execute in victims' browsers when viewing user data. Organizations using this software are affected.
💻 Affected Systems
- SourceCodester Product Show Room
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform account takeover, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers steal user session cookies to hijack accounts, perform actions as authenticated users, or deploy malware through the compromised application.
If Mitigated
With proper input validation and output encoding, the vulnerability is prevented, maintaining normal application functionality.
🎯 Exploit Status
Exploitation requires access to add users (typically authenticated), but the XSS payload execution affects other users viewing the compromised data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider implementing input validation and output encoding as workarounds.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side validation to sanitize the 'First Name' field by removing or encoding special characters.
Edit the PHP file handling user addition to include: htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
Enable Content Security Policy (CSP)
allImplement CSP headers to restrict script execution sources, mitigating XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or in PHP: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable user registration or restrict access to user management functions to trusted administrators only.
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Test by adding a user with a payload like <script>alert('XSS')</script> in the 'First Name' field and check if it executes when viewing the user list.Check Version:
Check the software version in the admin panel or configuration files; no specific command provided by vendor.Verify Fix Applied:
After applying workarounds, retest with the same payload; it should be displayed as plain text or encoded, not executed.📡 Detection & Monitoring
Log Indicators:
- Log entries showing user additions with script tags or unusual characters in the 'First Name' field.
- Unexpected JavaScript execution in user management pages.
Network Indicators:
- HTTP requests to user addition endpoints containing script payloads in POST data.
SIEM Query:
source="web_logs" AND (uri_path="/add_user.php" OR action="add_user") AND (first_name CONTAINS "<script>" OR first_name CONTAINS "javascript:")