CVE-2012-3870

Step 1: Authentication: The attacker must first authenticate to the Open Constructor application, likely as a registered user, as indicated by the vulnerability description mentioning 'remote authenticated users'.

Step 2: Payload Injection: The attacker crafts a malicious payload containing JavaScript or HTML code. This payload is designed to execute in the victim's browser.

Step 3: Parameter Manipulation: The attacker submits the payload through the name or description parameters in a POST request to objects/createobject.php. The payload is designed to be stored in the application's database.

Step 4: Data Storage: The application stores the attacker's injected code in the database, associated with the created object.

Step 5: Victim Interaction: A legitimate user views the object created by the attacker. This triggers the application to retrieve the malicious data from the database.

Step 6: Code Execution: The victim's browser renders the retrieved data, including the attacker's injected JavaScript or HTML. The malicious code then executes within the context of the victim's session.

The vulnerability stems from insufficient input validation and output encoding in the createobject.php script. Specifically, the script fails to properly sanitize user-supplied data from the name and description parameters before displaying it on the webpage. This allows attackers to inject malicious JavaScript or HTML code. The lack of input validation permits the injection of malicious code, and the absence of output encoding (e.g., HTML entity encoding) allows the injected code to be interpreted by the browser. The root cause is a failure to implement proper security controls when handling user-supplied input.