#243 Vulnerability: Reflected cross-site scripting in ChurchInfo

[huki45q]

Vulnerability: Reflected cross-site scripting in ChurchInfo

Proof of Concept

ChurchInfo does not properly validate and encode a HTTP GET parameter belonging to the "Delete property" function. The vulnerability can be found in the file PropertyDelete.php:

// Get the Type and Property
$sType = $_GET["Type"];
$iPropertyID = FilterInput($_GET["PropertyID"],'int');
[...]
<a href="PropertyList.php?Type=<?php echo $sType; ?>"><?php echo gettext("No, cancel this deletion"); ?></a>

Attack:
The following URL contains malicious code in the GET parameter. If it is requested by an (authenticated) user the response will contain the malicious code.

http://localhost/churchinfo/PropertyDelete.php?PropertyID=6&Type="> <script>alert("Hallelujah!");</script>

The exploit code first ends the link target (") and the link tag afterwards (>). Then arbitrary Javascript code can be injected.

Fix

To fix this bug, validate the user input and encode the ouput, see e.g. [2].
For example the function "FilterInput", which is used to filter user supplied input at many other parts of the code, can be used here.

References

[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet