Overview

Vendor: Project Worlds Product: Student Project Allocation System

https://projectworlds.in/student-project-allocation-system-using-php-with-source-code/ Date: 1/15/2024

Vulnerability Details

The Admin Login module in the Project Allocation System developed by the Project Allocation System is found to have a security vulnerability that exposes it to reflected Cross-Site Scripting (XSS) attacks. This vulnerability allows an attacker to inject malicious scripts into the application, potentially leading to unauthorized access, data theft, or other security breaches.

XSS Vulnerability


<https://localhost/Project-Allocation-System/admin/admin_login.php?msg=test%22%3Cscript%3Ealert(%27Torada%27)%3C/script%3E>

Description

The application fails to properly validate and sanitize the user input received through the URL parameter msg. As a result, an attacker can inject malicious scripts into the page, leading to the execution of arbitrary JavaScript code in the context of the victim's browser.

Proof of Concept

To demonstrate the exploit, an attacker can craft a URL with a malicious payload as follows:

  1. Access the vulnerable page with the crafted URL:

    
    <https://localhost/Project-Allocation-System/admin/admin_login.php?msg=test>"><script>alert('Torada')</script>
    
    
  2. Upon loading the page, the injected script triggers an alert with the message 'Torada', indicating successful exploitation.

Untitled

screen-capture (3).webm

Recommendations

1. Input Validation and Sanitization

Implement proper input validation and sanitization to ensure that user input is safe and free from malicious code.

Example (PHP):

$msg = htmlspecialchars($_GET['msg'], ENT_QUOTES, 'UTF-8');

2. JavaScript Output Encoding