Stored cross-site scripting (XSS) in admin/usermanager.php over IPPlan v4.92b allows remote attackers to inject arbitrary web script or HTML via the userid parameter
In a nutshell, given the lack of validations among certain input fields controlled by the user, we can only notice a “trim” for the userid parameter(
code:admin/usermanager.php -> administrator$userid=trim($userid);) that’s also accepting strings in a form that should not be controlled by the user during an account creation:
Although ipplan isn’t a brand new application, it seems we have different organizations relying on its functionalities as the information provided can be very useful in order to track the network segmentation across a given environment. If this is your scenario and you want to get rid of such vulnerabilities, ensure to avoid the user ID parameter of the UI and let the database control such information with the proper increment, having the primary keys and foreign keys accordingly which will require a few changes on the code and also in the database structure. Another option that can reduce the impact of such scenario is to use an INT data type for your column. Also, ensure to add the validation/sanitization such as the usage of htmlspecialchars() function within PHP in order to convert special characters to HTML entities correctly.