CVE-2024-44635
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the PHPGurukul Student Record System admin profile page. When exploited, it can lead to session hijacking, credential theft, or unauthorized actions by administrators. Only systems running the vulnerable version 3.20 are affected.
💻 Affected Systems
- PHPGurukul Student Record System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access, manipulate student records, or deploy malware to users' browsers.
Likely Case
Attackers would use reflected XSS to steal administrator credentials or session tokens, potentially gaining unauthorized access to the system.
If Mitigated
With proper input validation and output encoding, the attack would be prevented, and no impact would occur.
🎯 Exploit Status
Exploitation requires administrator interaction, such as clicking a malicious link, but the attack itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://phpgurukul.com/student-record-system-php
Restart Required: No
Instructions:
No official patch available. Apply input validation and output encoding to adminname and aemailid parameters in /admin-profile.php.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization for adminname and aemailid parameters to prevent XSS payloads.
Edit /admin-profile.php to add input filtering (e.g., htmlspecialchars() for output, preg_match() for validation).
Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS by restricting script execution sources.
Add header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to the admin interface to trusted IP addresses only.
- Monitor logs for suspicious activity related to admin-profile.php parameters.
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple XSS payload (e.g., <script>alert('XSS')</script>) into adminname or aemailid parameters on /admin-profile.php and check if it executes.Check Version:
Check the system version in the admin panel or configuration files; look for '3.20' in code comments or version strings.Verify Fix Applied:
After applying fixes, retest with XSS payloads to ensure they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /admin-profile.php with script tags or encoded payloads in parameters.
- Multiple failed login attempts or access from unexpected IPs.
Network Indicators:
- HTTP requests containing malicious scripts in adminname or aemailid parameters.
SIEM Query:
source="web_logs" AND uri="/admin-profile.php" AND (param="adminname" OR param="aemailid") AND content MATCHES "<script>|javascript:"