HomeAdvisoriesBlogToolsRSS

Online Attendance System: Lite Edition 1.0 multiple Cross-Site Scripting (XSS) vulnerabilities

© 2010-11-15 ~ Brendan Coles <bcoles at gmail dot com>

Summary

There are multiple Cross-Site Scripting (XSS) vulnerabilities in Online Attendance System: Lite Edition 1.0 which may allow an attacker to take control of the software.

Software

Software Link: Online Attendance System: Lite Edition 1.0

Vulnerable Version: <= 1.0

Vendor Notification: support@onlinetechtools.com at 2010-11-05 3:55AM

# No reply from vendor by 2010-11-15 # Advisory released.

Vulnerabilities

# Information Disclosure # SQL Query Disclosure # 1.0 # Unpatched

# Reflected Cross-Site Scripting (XSS) # 1.0 # Unpatched

The vulnerability exists due to failure in "reports.asp" to properly sanitize user-supplied input in the "Period" parameter.

The vulnerability exists due to failure in "check.asp" to properly sanitize user-supplied input in the "Absent", "Teacher" and "lunCount" parameters.

The following proof of concept is available:

# Persistant Cross-Site Scripting (XSS) # 1.0 # Unpatched

The vulnerability exists due to failure in "update.asp" to properly sanitize user-supplied input in the "Absent", "Teacher" and "lunCount" parameters.

The following proof of concept is available:

View XSS payload :

Reference

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Information Disclosure

Appendix

[TXT] Online Attendance System - Lite Edition 1.0 multiple Cross-Site Scripting (XSS) vulnerabilities