| عنوان | PHPGurukul Teacher Subject Allocation Management System 1.0 Cross Site Scripting |
|---|
| الوصف | Bug Description:
An unauthenticated reflected cross-site scripting (XSS) vulnerability in PHPGurukul Teacher Subject Allocation Management System 1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the "searchdata" field.
Steps to Reproduce:
# Exploit Title: Unauthenticated Reflected cross-site scripting (XSS) vulnerability in PHPGurukul Teacher Subject Allocation Management System
# Date: 05-12-2023
# Exploit Author: dhabaleshwardas
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/
# Version: 1.0
# Tested on: firefox/chrome/brave
# CVE :
To reproduce the attack:
1- Head to the http://localhost/tsas/index.php endpoint
2- Here you would be asked to give a value in the "searchdata" parameter. We simply put an XSS payload <script>alert(5)</script>.
3- As soon as you hit "Go" intercept the request and then check the response, you can see the payload directly embedded into the HTML content without proper sanitization or encoding, and hence, a pop-up is shown with the number "5".
4- Although Reflected XSS is not as critical as Stored XSS but still it can be used to steal user session cookies, allowing the attacker to impersonate the victim and perform actions on their behalf and can even redirect users to malicious websites.
Remediation:
1- Validate and sanitize user input on the server side. Ensure that input adheres to expected patterns and formats.
2- Encode user input before displaying it in the HTML output. HTML-encode special characters to prevent them from being interpreted as HTML or JavaScript.
|
|---|
| المصدر | ⚠️ https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/tsas-reflected-xss.md |
|---|
| المستخدم | dhabaleshwar (UID 58737) |
|---|
| ارسال | 05/12/2023 05:26 PM (2 سنوات منذ) |
|---|
| الاعتدال | 09/12/2023 06:12 PM (4 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 247342 [PHPGurukul Teacher Subject Allocation Management System 1.0 index.php searchdata البرمجة عبر المواقع] |
|---|
| النقاط | 20 |
|---|