Vendor: Project Worlds Product: Student Project Allocation System
https://projectworlds.in/student-project-allocation-system-using-php-with-source-code/ Date: 1/15/2024
The Admin Login module in the Project Allocation System developed by the Project Allocation System is found to have a security vulnerability that exposes it to reflected Cross-Site Scripting (XSS) attacks. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to unauthorized access, data theft, or other security breaches.
XSS Vulnerability
admin/admin_login.phpmsg
<https://localhost/Project-Allocation-System/admin/admin_login.php?msg=test%22%3Cscript%3Ealert(%27Torada%27)%3C/script%3E>
The application fails to properly validate and sanitize the user input received through the URL parameter msg. As a result, an attacker can inject malicious scripts into the page, leading to the execution of arbitrary JavaScript code in the context of the victim's browser.
To demonstrate the exploit, an attacker can craft a URL with a malicious payload as follows:
Access the vulnerable page with the crafted URL:
<https://localhost/Project-Allocation-System/admin/admin_login.php?msg=test>"><script>alert('Torada')</script>
Upon loading the page, the injected script triggers an alert with the message 'Torada', indicating successful exploitation.
Implement proper input validation and sanitization to ensure that user input is safe and free from malicious code.
Example (PHP):
$msg = htmlspecialchars($_GET['msg'], ENT_QUOTES, 'UTF-8');