CVE-2024-50991
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in PHPGurukul User Management System v1.0 allows attackers to inject malicious scripts via the 'fname' parameter in the admin panel. When an admin views the registered users page, the script executes in their browser context. This affects all installations of PHPGurukul User Management System v1.0 with the vulnerable component enabled.
💻 Affected Systems
- PHPGurukul User Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform administrative actions as the victim, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers with user registration access inject malicious scripts that execute when administrators view user lists, enabling session hijacking or credential theft.
If Mitigated
With proper input validation and output encoding, the malicious payload would be neutralized, preventing script execution.
🎯 Exploit Status
Exploitation requires user registration access to submit malicious payloads. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch exists. Implement input validation and output encoding in /ums-sp/admin/registered-users.php for the 'fname' parameter.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to sanitize the 'fname' parameter before processing.
Edit /ums-sp/admin/registered-users.php and add: $fname = htmlspecialchars($_POST['fname'], ENT_QUOTES, 'UTF-8');
Disable User Registration
allTemporarily disable user registration to prevent payload injection.
Modify registration form or disable registration functionality in the system.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules.
- Restrict access to the admin panel to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Submit a test payload like <script>alert('XSS')</script> in the 'fname' field during user registration and check if it executes when viewing registered users.Check Version:
Check the system version in the admin panel or configuration files.Verify Fix Applied:
After applying fixes, test with the same payload to ensure it's properly sanitized and doesn't execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ums-sp/admin/registered-users.php with script tags in parameters.
- Multiple user registrations with similar patterns.
Network Indicators:
- HTTP requests containing script tags in POST data to the vulnerable endpoint.
SIEM Query:
source="web_logs" AND uri="/ums-sp/admin/registered-users.php" AND (POST_data CONTAINS "<script>" OR POST_data CONTAINS "javascript:")