Senayan Library Management System Cross-Site Scripting Scanner

The Senayan Library Management System (SLiMS) is primarily used by libraries to manage cataloging, circulation, and inventory of library materials. It is popular in educational institutions, public libraries, and research centers for managing library resources efficiently. SLiMS includes features such as an online public access catalog (OPAC), which allows users to search and locate books and other library materials. The software is designed to streamline library processes and is customizable to suit different institutional needs. It supports multiple languages and is recognized for its user-friendly interface. Being open-source, it is freely available for libraries to use and modify according to their specific requirements.

Cross-Site Scripting (XSS) is a prevalent vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The scripts can execute in the context of the user's session, potentially leading to credential theft, session hijacking, or defacement of the website. XSS vulnerabilities occur when web applications include user-generated content without proper validation and escaping. Attackers can exploit these flaws to send malicious content to unsuspecting users, effectively compromising their interactions with the system. Preventing XSS involves implementing rigorous input validation, sanitizing user data, and employing content security policies (CSP). This ensures that web applications reflect user inputs safely and securely back to browsers.

Technical details of this XSS vulnerability involve injecting a payload into the `index.php` endpoint, which, when executed, causes the webpage to run the payload script repeatedly. The script `<script>alert(document.domain)</script>` is used to exploit this vulnerability by testing if the domain is correctly reflected in the JavaScript alert pop-up. This indicates the vulnerability is actively present and can be a vector for more malicious attacks. The vulnerable parameter is connected to the path structure within the URL, which inadvertently processes the injected script. The flaw is exploited by tricking the application into executing scripts in the victim's browser, providing an opportunity for attackers to manipulate the application behavior.

The exploitation of Cross-Site Scripting (XSS) can lead to several adverse effects, including the theft of session cookies, sensitive user information, or credentials, which may result in unauthorized access. It can also facilitate stored attacks where malicious content persists in the application, affecting all users who trigger the vulnerability unintentionally. Attackers may additionally engage in phishing attacks or spread malware through XSS vulnerabilities, harming both users and the application's reputation. Moreover, XSS can lead to defacement of web pages, causing significant embarrassment and potential distrust among users of the service. Affected systems can have reduced operational integrity and reliability, potentially resulting in financial and reputational losses for organizations using vulnerable applications.

REFERENCES

• https://github.com/slims/slims9_bulian/issues/185