Mart Developers iBanking Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Mart Developers iBanking version 2.0.0. This issue allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name parameter within the Client Profile Update section.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the iBanking system as a sysadmin and create a new client. During the client profile update, inject a JavaScript payload into the Name, address, or phone number fields. After saving the details, log in as the new client and navigate to the account section. The injected script will execute, demonstrating the cross-site scripting vulnerability. This can be further exploited by sending the admin cookie to a remote location and using it to access the admin dashboard as a sysadmin.

Remediation

It is recommended to implement server-side input validation and sanitization, encode user inputs before display, set a Content Security Policy header to restrict inline script execution, use HttpOnly and Secure flags for session cookies, and implement anti-CSRF tokens in forms.