Update
Update 2023/09/10
The vulnerability has been included and approved for public disclosure by MITRE.
Vuln_Author: WEI(Gikaku)
The program is built using the xmapp-php8.2.4 version
Vulnerabilities:
- Stored XSS
- CSRF
SourceCodester Take-Note
“Take-Note App,” a simple yet powerful solution to help you organize and manage your notes seamlessly. It also uses CRUD (Create, Read, Update and Delete) feature. Built using the versatile PHP programming language, this app offers an intuitive user interface and robust features that make note-taking a breeze. It is just a simple which only uses single table unlike to joining tables that I’ve also created before.
Features:
- Effortless Note Creation: With the Take-Note App, creating a new note is as simple as typing your thoughts. Enter the title and content of your note, and you’re good to go.
- User-Friendly Interface: The app boasts a clean and user-friendly interface, designed to provide a distraction-free note-taking experience. Whether you’re using a desktop computer or a mobile device, the app adapts seamlessly.
- Edit and Update: Need to make changes to an existing note? The app allows you to easily edit and update your notes. You can modify the title and content to keep your notes up to date.
- Organize and Manage: Organizing your notes is made easy with categorization by titles. The app lets you effortlessly manage multiple notes and quickly find what you’re looking for.
- Time Stamps: Each note you create is automatically stamped with the date and time it was created, helping you keep track of your thoughts and ideas chronologically.
- Delete Confirmation: Before you delete a note, the app prompts you to confirm your action, ensuring that important notes aren’t accidentally removed.
Stored XSS
Stored XSS vulnerability exists in index.php
Code Audit
....
// Convert the date_time value to a formatted date and time string
$formattedDateTime = date('F j, Y H:i A', strtotime($noteDateTime));
?>
<li class="list-group-item mt-2">
<div class="btn-group float-right">
<a href="endpoint/update_note.php?edit=<?php echo $noteID ?>"><button type="button" class="btn btn-sm btn-light" title="Show"><i class="fa fa-pencil"></i></button></a>
<button onclick="delete_note('<?php echo $noteID ?>')" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button>
</div>
<h3 style="text-transform:uppercase;"><b><?php echo $noteTitle ?></b></h3>
<p class="note-content"><?php echo $noteContent ?></p>
<small class="block text-muted text-info">Created: <i class="fa fa-clock-o text-info"></i> <?php echo $formattedDateTime ?></small>
</li>
<?php
}
?>
....
The following line of code is vulnerable
<p class="note-content"><?php echo $noteContent ?></p>
Here, the value of the $noteContent variable is output directly into the HTML. If this value contains user-entered data that is not properly filtered or escaped, then there is a risk of an XSS attack.
PoC
Attackers can insert JavaScript code into the content of a note. For example, they can create a note with the following content:
<script>alert('xss')</script>
When other users view this note, the above JavaScript code will run in their browsers.
This is a typical Stored XSS vulnerability
The test results are as follows
Payload execution succeeded
Stored XSS vulnerability confirmed
CSRF (Cross-Site Request Forgery)
CSRF vulnerability exists in index.php and delete_note.php
Code Audit
....
// Convert the date_time value to a formatted date and time string
$formattedDateTime = date('F j, Y H:i A', strtotime($noteDateTime));
?>
<li class="list-group-item mt-2">
<div class="btn-group float-right">
<a href="endpoint/update_note.php?edit=<?php echo $noteID ?>"><button type="button" class="btn btn-sm btn-light" title="Show"><i class="fa fa-pencil"></i></button></a>
<button onclick="delete_note('<?php echo $noteID ?>')" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button>
</div>
<h3 style="text-transform:uppercase;"><b><?php echo $noteTitle ?></b></h3>
<p class="note-content"><?php echo $noteContent ?></p>
<small class="block text-muted text-info">Created: <i class="fa fa-clock-o text-info"></i> <?php echo $formattedDateTime ?></small>
</li>
<?php
}
?>
....
The following code has security issues.
<button onclick="delete_note('<?php echo $noteID ?>')" type="button" class="btn btn-sm btn-light" title="Remove"><i class="fa fa-trash"></i></button>
Here, the application deletes notes through a simple GET request. This means that anyone who knows the correct URL can delete any note. If a logged-in user is tricked into accessing this URL, their note will be deleted.
This is a typical CSRF vulnerability
PoC
Attackers can create a seemingly harmless link and then lure users to click on this link. For example:
<a href="http://example.com/endpoint/delete_note.php?delete=21">test for csrf</a>
The user clicks on this link and it looks like this
If a logged-in user clicks on this link, their note will be deleted.
The note named “test” has been successfully deleted.
This can be confirmed as a CSRF vulnerability
コメントを投稿するにはログインしてください。