A vulnerability was found in SourceCodester Shopping Website 1.0. It has been classified as critical. Affected is an unknown function of the file index.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-232674 is the identifier assigned to this vulnerability.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

111 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-3457: CveList/Shopping Website (E-Commerce)  index.php has Sqlinjection.pdf at main · qwegz/CveList

itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection.

**itsourcecode\_justines\_sql\_vul****Some information**

CVE ID: CVE-2023-34487

Vendor of Product: https://itsourcecode.com/

Affected Product: justines(https://itsourcecode.com/free-projects/php-project/hotel-management-system-project-php/) - v1.0.0

Attack Type: Remote

Vulnerability type: SQL injection

Description: itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection.

Position: "body"

ParamKey: "log\_pword"

payload: "1234'and(select\*from(select+sleep(5))a/\*\*/union/\*\*/select+1)='"

**Process description**

On the justines home page, enter payload in the login password field. The injection is effective.

Packet capture data.

CVE-2023-34487: GitHub - JunyanYip/itsourcecode_justines_sql_vul

itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to Cross Site Scripting (XSS). Remote code execution can be achieved by entering malicious code in the date selection box.

**itsourcecode\_justines\_xss\_vul****Some information**

CVE ID: CVE-2023-34486

Vendor of Product: https://itsourcecode.com/

Affected Product: justines(https://itsourcecode.com/free-projects/php-project/hotel-management-system-project-php/) - v1.0.0

Vulnerability type: xss

Attack Type: Remote

Description: itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to Cross Site Scripting (XSS). Remote code execution can be achieved by entering malicious code in the date selection box.

Position: "body"

ParamKey: "to"

payload: "<script>alert(document.cookie)</script>"

**Process description**

Enter payload in the date selection box.

The code executes successfully, displaying the user's cookie.

Packet capture data.

CVE-2023-34486: GitHub - JunyanYip/itsourcecode_justines_xss_vul

We're still unprepared to fight the security bugs we already encounter, let alone new AI-borne issues.

From the first rumbles of hype for the latest culture-shattering AI tools, developers and the coding-curious alike have been using them to generate code at the touch of a button. Security experts quickly pointed out that, in many cases, the code being produced was poor quality and vulnerable and, in the hands of those with little security awareness, could cause an avalanche of insecure apps and Web development to hit unsuspecting consumers.

And then there are those who have enough security knowledge to use it for, well, evil. For every mind-blowing AI feat, it seems there is a counter-punch of the same technology being used for nefarious purposes. Phishing, deep fake scam videos, malware creation, general script kiddie shenanigans — these disruptive activities are now achievable much faster, with lower barriers to entry.

There is certainly a lot of clickbait touting this tooling as revolutionary, or at least coming out on top when matched with "average" human skill. While it is looking inevitable that large language models–style (LLM) AI technology will change the way we approach many aspects of work — not just software development — we need to take a step back and consider the risks beyond the headlines.

And as a coding companion, its flaws are perhaps its most "human" attribute.

**Poor Coding Patterns Dominate Its Go-To Solutions**

With ChatGPT trained on decades of existing code and knowledge bases, it's no surprise that for all its marvel and mystery, it too suffers from the same common pitfalls people face when navigating code. Poor coding patterns are the go-to, and it still takes a security-aware driver to generate secure coding examples by asking the right questions and delivering the right prompt engineering.

Even then, there is no guarantee that the code snippets given are accurate and functional from a security perspective; the technology is prone to hallucination, even making up nonexistent libraries when asked to perform some specific JSON operations. This could lead to "hallucination squatting" by threat actors, who would be all too happy to spin up some malware disguised as the fabricated library recommended with full confidence by ChatGPT.

Ultimately, we have to face the reality that, in general, we have not expected developers to be sufficiently security-aware, nor have we as an industry adequately prepared them to write secure code as a default state. This will be evident in the enormous amount of training data fed into ChatGPT, and we can expect similar lackluster security results from its output, at least initially. Developers would have to be able to identify the security bugs and either fix them themselves or design better prompts for a more robust outcome.

The first large-scale user study examining how users interact with an AI coding assistant to solve a variety of security-related functions — conducted by researchers at Stanford University — supports this notion.

Between this and the inevitable AI-borne threats that will permeate our future, developers, now more than ever, must hone their security skills and raise the bar for code quality, no matter its origin.

**The Road to a Data Breach Disaster Is Paved With Good Intentions**

It should come as no surprise that AI coding companions are popular, especially as developers are faced with increasing responsibility, tighter deadlines, and the ambitions of a company's innovation resting on their shoulders. However, even with the best intentions, a lack of actionable security awareness when using AI for coding will inevitably lead to glaring security problems. All developers with AI/ML tooling will generate more code, and its level of security risk will depend on their skill level. Organizations need to be acutely aware that untrained people will certainly generate code faster, but so too will they increase the speed of technical security debt.

Even our preliminary test with ChatGPT in April revealed it will generate very basic mistakes that could have devastating consequences. When we asked it to build a login routine in PHP using a MySQL database, functional code was generated quickly. However, it defaulted to storing passwords in plaintext in a database, storing database connection credentials in code, and using a coding pattern that could result in SQL injection (although, it did do some level of filtering on the input parameters and spitting out database errors). All rookie errors by any measure:

    

Source: Pieter Danhieux and Matias Madou

Further prompting ensured the mistakes were amended, but it takes significant security knowledge to course-correct. Unchecked and widespread use of these tools is no better than unleashing junior developers onto your projects, and if this code is building sensitive infrastructure or processing personal data, then we're looking at a ticking time bomb.

Of course, just like junior developers undoubtedly increase their skills over time, we expect AI/ML capabilities to improve. A year from now, it may not make such obvious and simple security mistakes. However, that will have the effect of dramatically increasing the security skill required to track down the more serious, hidden, non-trivial security errors it will still be in danger of producing.

**We Remain Ill-Prepared to Find and Fix Security Vulnerabilities, and AI Widens the Gap**

While there has been much talk of "shifting left" for many years, the fact remains that, for most organizations, there is a significant lack of practical security knowledge among the development cohort, and we must work harder to provide the right-fit tools and education to help them on their way.

As it stands, we're not prepared for the security bugs we already encounter, not to mention the new AI-borne issues like prompt injection and hallucination squatting that represent entirely new attack vectors that are set to take off like wildfire. AI coding tools do represent the future of a developer's coding arsenal, but the education to wield these productivity weapons safely must come now.

When It Comes to Secure Coding, ChatGPT Is Quintessentially Human

A Cross Site Scripting vulnerability in PHPgurukl User Registration Login and User Management System with admin panel v.1.0 allows a local attacker to execute arbitrary code via a crafted script to the signup.php.

\# User Registration login and user management system with admin panel v.1.0 - Stored Cross-Site Scripting (XSS)Vulnerability

\## Stored Cross Site Scripting Vulnerability found in User Registration login and user management system with admin panel v.1.0

Vulnerability Description -

The User Registration login and user management system with admin panel v.1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application.

Steps to Reproduce -

The following steps demonstrate how to exploit the Stored XSS vulnerability in the Hostel Management System v.1.0:

1\. Visit the User Registration login and user management system with admin panel v.1.0 application by accessing the URL: http://localhost/loginsystem/signup.php

2\. Click on the "Sign Up" and Creat New User Account

"First Name" "Last Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.

3\. Click on the "Submit" button.

4\. Login to the Account using the Email id and Password Which You Have Entered, injected payload will be executed.

As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

\*\*Reference: CVE-2023-34648\*\*

CVE-2023-34648: Common-Vulnerabilities-and-Exposures/CVE-2023-34648 at main · ckalnarayan/Common-Vulnerabilities-and-Exposures

The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*   **shorten-url/trunk/shorten-url.php**
    
    r2654759
    
    r2931815
    
     
    
    15
    
    15
    
     \* Plugin URI:        https://wordpress.org/plugins/shorten-url/
    
    16
    
    16
    
     \* Description:       Short URL helps you beautify, manage, share & cloak any links on or off of your WordPress website. Create links that look how you want using your own domain name!
    
    17
    
     
    
     \* Version:           1.6.4
    
     
    
    17
    
     \* Version:           1.6.5
    
    18
    
    18
    
     \* Author:            KaizenCoders
    
    19
    
    19
    
     \* Author URI:        https://kaizencoders.com/
    
    20
    
     
    
     \* Tested up to:      5.8.3
    
     
    
    20
    
     \* Tested up to:      6.2.2
    
    21
    
    21
    
     \* License:           GPL-3.0+
    
    22
    
    22
    
     \* License URI:       http://www.gnu.org/licenses
    
    …
    
    …
    
     
    
    459
    
    459
    
               
    
    460
    
    460
    
                    if (isset($\_POST\['add'\])) {
    
    461
    
     
    
                        $url\_ext = str\_replace("'", "", $\_POST\['url\_externe'\]) ;
    
    462
    
     
    
                        $comment = str\_replace("'", "", $\_POST\['comment'\]) ;
    
     
    
    461
    
                        $url\_ext = sanitize\_text\_field(str\_replace("'", "", $\_POST\['url\_externe'\])) ;
    
     
    
    462
    
                        $comment = sanitize\_text\_field(str\_replace("'", "", $\_POST\['comment'\])) ;
    
    463
    
    463
    
                        if (!preg\_match("/^http/i", $url\_ext)) {
    
    464
    
    464
    
                            $url\_ext = "http://".$url\_ext  ;
    
    …
    
    …
    
     
    
    694
    
    694
    
            $idLink = $\_POST\['idLink'\];
    
    695
    
    695
    
            // Empty the database for the given idLink
    
    696
    
     
    
            $q = "DELETE FROM {$table\_name} WHERE id\_post=".$idLink ;
    
     
    
    696
    
            $q = $wpdb->prepare("DELETE FROM {$table\_name} WHERE id\_post=%d", $idLink);
    
    697
    
    697
    
            $wpdb->query( $q ) ;
    
    698
    
    698
    
            // Create a new entry
    
    …
    
    …
    
     
    
    1261
    
    1261
    
    }
    
    1262
    
    1262
    
     
    
    1263
    
    if ( ! defined( 'KC\_SU\_MIN\_PHP\_VER' ) ) {
    
     
    
    1264
    
        define( 'KC\_SU\_MIN\_PHP\_VER', '5.6' );
    
     
    
    1265
    
    }
    
     
    
    1266
    
     
    
    1267
    
    if ( ! defined( 'KC\_SU\_MAX\_PHP\_VER' ) ) {
    
     
    
    1268
    
        define( 'KC\_SU\_MAX\_PHP\_VER', '7.4.22' );
    
     
    
    1269
    
    }
    
     
    
    1270
    
     
    
    1271
    
    if ( ! function\_exists( 'kc\_su\_fail\_php\_version\_notice' ) ) {
    
     
    
    1272
    
        /\*\*
    
     
    
    1273
    
         \* Shorten URL admin notice for minimum & maximum PHP version.
    
     
    
    1274
    
         \*
    
     
    
    1275
    
         \* Warning when the site doesn't have the minimum required PHP version.
    
     
    
    1276
    
         \*
    
     
    
    1277
    
         \* @return void
    
     
    
    1278
    
         \* @since 1.6.5
    
     
    
    1279
    
         \*
    
     
    
    1280
    
         \*/
    
     
    
    1281
    
        function kc\_su\_fail\_php\_version\_notice() {
    
     
    
    1282
    
            /\* translators: %s: PHP version \*/
    
     
    
    1283
    
            $message      = sprintf( esc\_html\_\_( 'Shorten URL requires PHP version between %s & %s, plugin is currently NOT RUNNING.', 'shorten-url' ), KC\_SU\_MIN\_PHP\_VER,  KC\_SU\_MAX\_PHP\_VER);
    
     
    
    1284
    
            $html\_message = sprintf( '<div class="error">%s</div>', wpautop( $message ) );
    
     
    
    1285
    
            echo wp\_kses\_post( $html\_message );
    
     
    
    1286
    
        }
    
     
    
    1287
    
    }
    
     
    
    1288
    
     
    
    1289
    
    if ( ! function\_exists( 'kc\_su\_migrate\_to\_url\_shortify' ) ) {
    
     
    
    1290
    
        /\*\*
    
     
    
    1291
    
         \* Shorten URL admin notice for minimum & maximum PHP version.
    
     
    
    1292
    
         \*
    
     
    
    1293
    
         \* Warning when the site doesn't have the minimum required PHP version.
    
     
    
    1294
    
         \*
    
     
    
    1295
    
         \* @return void
    
     
    
    1296
    
         \* @since 1.6.5
    
     
    
    1297
    
         \*
    
     
    
    1298
    
         \*/
    
     
    
    1299
    
        function kc\_su\_migrate\_to\_url\_shortify() {
    
     
    
    1300
    
            /\* translators: %s: PHP version \*/
    
     
    
    1301
    
            $message      = sprintf( \_\_('We are retiring Shorten URL plugin and will continue to develop <a href="%s" target="\_blank">URL Shortify</a>. We will provide help to migrate to URL Shortify. <a href="mailto:hello@kaizencoders.com">Contact us</a>  for migration.','shorten-url'), 'https://wordpress.org/plugins/url-shortify/');
    
     
    
    1302
    
            $html\_message = sprintf( '<div class="notice notice-info">%s</div>', wpautop( $message ) );
    
     
    
    1303
    
            echo wp\_kses\_post( $html\_message );
    
     
    
    1304
    
        }
    
     
    
    1305
    
    }
    
     
    
    1306
    
     
    
    1307
    
    add\_action( 'admin\_notices', 'kc\_su\_migrate\_to\_url\_shortify' );
    
     
    
    1308
    
     
    
    1309
    
    if ( ! version\_compare( PHP\_VERSION, KC\_SU\_MIN\_PHP\_VER, '>=' ) || ! version\_compare( PHP\_VERSION, KC\_SU\_MAX\_PHP\_VER, '<=' )) {
    
     
    
    1310
    
        add\_action( 'admin\_notices', 'kc\_su\_fail\_php\_version\_notice' );
    
     
    
    1311
    
     
    
    1312
    
        return;
    
     
    
    1313
    
    }
    
     
    
    1314
    
     
    
    1315
    
     
    
    1316
    
    1263
    
    1317
    
    $shorturl = shorturl::getInstance();
    
    1264
    
    1318

CVE-2023-1602: Changeset 2931815 for shorten-url/trunk/shorten-url.php – WordPress Plugin Repository

Chemex through 3.7.1 is vulnerable to arbitrary file upload.

**1\. Synopsis**

Chemex is vulnerable to arbitrary file upload vulnerability, which can lead to code execution.

This vulnerability exists in Chemex's latest verion 3.7.1 and all versions below. The upload/import function implements filter only in frontend, there is no filter in the backend code. Attackers can easily bypass it with tools like Burpsuite.

**2\. Analysis**

The vulnerable endpoints is listed below:  
/dcat-api/form/upload (/organization/users)  
/device/records  
/device/categories  
/vendor/records

We are going to analysis endpoint **/organization/users**.

The corresponding code is in: chemex-main/app/Admin/Forms/UserImportForm.php function form

It applies filter to only accept xlsx and csv file, but only in the frontend

The backend code to upload function is in: chemex-main/vendor/dcat/laravel-admin/src/Form/Field/UploadField.php function upload

Read the code carefully, you will find there is no filter at all.

**3\. Exploit**

You can use the following syntax to search vulnerable target in internet with Hunter (https://hunter.qianxin.com/) : web.body="让IT资产管理更加简单"&&web.body="dcat-admin/dcat/plugins/vendors.min.js"

You can login with default cred **admin : admin**, or some simple passwords.

The following targets has been tested by me:

    https://gz.yunxiaoseo.com/ 	admin : 123456
    http://42.192.138.41:8005/	admin : admin
    https://jixiadmin.qiyekj.cn/	admin : admin
    http://121.28.101.42:81/	admin : admin
    http://81.70.56.151/		admin : admin
    

The target we are going to test is http://81.70.56.151/, it's the latest version I found so far (the latest is 3.7.1).

Click "组织" button or go to this url directly: /organization/users, then click the green "导入人员信息模板" button.

It will pop up a window to let you select a file to upload. Drag or select a xlsx file to upload, then intercept it with burp.

In burp, send the request to repeater, then modify the **filename** parameter to a php file, fill in some simple code to execute cmd.

The uploaded path will be echoed in the response, access it in your web browser.

Finally, you gain code execution.

The video of demonstration of latest version can be found in: https://mega.nz/file/dUlAyY7J#5ceaOxDibsRaqSC8VEqB6IZCWdiFCU1-WhfbLB72la0

CVE-2023-34738: Arbitrary file upload vulnerability in Chemex 3.7.1 · Issue #64 · celaraze/chemex

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

/churchcrm/GroupReports.php

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Linux

**What browser (and version) are you running?**

Firefox

**What version of PHP is the server running?**

7.4.33

**What version of SQL Server are you running?**

5.7.26

**What version of ChurchCRM are you running?**

4.5.3

Description:  
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact:  
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions

Proof of Concept:  
**<script>alert('XSS')</script>**

CVE-2023-33661: XSS exists in the group report page · Issue #6474 · ChurchCRM/CRM

PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS).

\# Hostel Management System v.1.0 - Stored Cross-Site Scripting (XSS)Vulnerability

\## Stored Cross Site Scripting Vulnerability found in Hostel Management System v.1.0

Vulnerability Description -

The Hostel Management System v.1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application.

Steps to Reproduce -

The following steps demonstrate how to exploit the Stored XSS vulnerability in the Hostel Management System v.1.0:

1\. Visit the Hostel Management System v.1.0 application by accessing the URL: http://localhost/hostel/index.php.

2\. Click on the "Sign Up" and Creat New User Account

"First Name" "Last Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.

3\. Click on the "Submit" button.

4\. Login to the Account using the Email id and Password Which You Have Entered, injected payload will be executed.

As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

\*\*Reference: CVE-2023-34647\*\*

CVE-2023-34647: Common-Vulnerabilities-and-Exposures/CVE-2023-34647 at main · ckalnarayan/Common-Vulnerabilities-and-Exposures

PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS) via Add New Course.

\# Hostel Management System v.1.0 - Stored Cross-Site Scripting (XSS)Vulnerability

\## Stored Cross Site Scripting Vulnerability found in Hostel Management System v.1.0

Vulnerability Description -

The Hostel Management System v.1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application.

Steps to Reproduce -

The following steps demonstrate how to exploit the Stored XSS vulnerability in the Hostel Management System v.1.0:

1\. Visit the Hostel Management System v.1.0 application by accessing the URL: http://localhost/hostel/index.php.

2\. Click on the "Admin" button to navigate to the admin login page.

3\. Login to the Admin account using the default credentials.

\- Username: admin

\- Password: Test@123

4\. Proceed to the Admin Profile page.

5\. Click on Courses, and Add New Course, Within the "Course Code" "Course Name(Short)" "Course Name(Full)" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.

6\. Click on the "Submit" button.

7\. Refresh the page, and the injected payload will be executed.

As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

\*\*Reference: CVE-2023-34652\*\*

Tag

#php