Cross-site scripting (XSS) vulnerability in inc/lib/lib.base.php in SASHA 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the instructors parameter. NOTE: the original disclosure also mentions the section_title parameter, but this was disputed by the vendor and retracted by the original researcher.
SASHA 0.2.0 is vulnerable to a cross-site scripting (XSS) attack, allowing attackers to inject malicious code into web pages viewed by other users. This vulnerability, stemming from improper input sanitization of the instructors parameter, could lead to session hijacking, defacement, or the redirection of users to malicious websites.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the instructors parameter. For example: http://vulnerable-site/page.php?instructors=<script>alert('XSS')</script>
Step 2: Request Submission: The attacker sends the crafted URL to a victim, typically via phishing, social engineering, or by posting it on a public forum.
Step 3: Server Processing: The vulnerable SASHA application receives the request and processes the URL, including the attacker-supplied instructors parameter.
Step 4: Data Display: The application, due to the lack of proper sanitization, directly includes the attacker's input (the JavaScript payload) when generating the HTML response.
Step 5: Victim Interaction: When the victim's browser loads the page, it encounters the injected JavaScript code.
Step 6: Code Execution: The victim's browser executes the malicious JavaScript, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website.
The vulnerability lies within the inc/lib/lib.base.php file in SASHA 0.2.0. The instructors parameter is not properly sanitized before being displayed on a web page. This lack of input validation allows an attacker to inject arbitrary HTML or JavaScript code into the parameter's value. When a user views a page containing the injected code, their browser executes the malicious script, leading to the XSS vulnerability. The root cause is a missing or inadequate implementation of input validation and output encoding (e.g., HTML entity encoding) for the instructors parameter. This allows the attacker to bypass security measures and inject malicious code directly into the rendered HTML.