| Title | codeastro.com Online Food Ordering System in PHP MySQL with Source Code (WEB APP) 1.0 Cross-Site Scripting (XSS) |
|---|
| Description | Vulnerability Report
Introduction:
This document provides details on the identification and assessment of a security vulnerability discovered within the Online Food Ordering System.
System Overview:
Project Name: Online Food Ordering System in PHP MySQL with Source Code
Type: Cross-site Scripting (Reflected)
Project Link: https://codeastro.com/online-food-ordering-system-in-php-mysql-with-source-code/
Vulnerability Details:
Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in the "res_id" parameter of the "dishes.php" page in the Online Food Ordering System. This vulnerability allows an attacker to inject and execute arbitrary scripts in the context of the user's browser.
Impact Assessment:
Potential Impact: An attacker could exploit this vulnerability to execute malicious scripts on users' browsers, potentially leading to unauthorized access, data theft, or other malicious activities.
Severity: High
Mitigation Steps:
Input Validation:
Implement thorough input validation to ensure that user-supplied data, especially from URLs, is sanitized and does not contain malicious scripts.
Output Encoding:
Employ proper output encoding techniques to prevent the execution of scripts that might be injected through user inputs.
Content Security Policy (CSP):
Implement and enforce a strict Content Security Policy to mitigate the risks associated with XSS vulnerabilities.
Reproduction Steps:
Access the following URL: http://192.168.50.83/OnlineFood-PHP/dishes.php?res_id=l68q4"><script>alert(1)</script>qpaxv
Observe the execution of the payload (l68q4"><script>alert(1)</script>qpaxv), confirming the presence of the XSS vulnerability in the "res_id" parameter.
Researcher:
Name: ABHISHEK K A
Contact: [email protected]
Role: Cybersecurity Researcher
Project Details:
Project Name: Online Food Ordering System in PHP MySQL with Source Code
Discovery Date: 08/01/2024
Project Link: https://codeastro.com/online-food-ordering-system-in-php-mysql-with-source-code/
Source of Project: Obtained from codeastro.com
Your Commitment:
Responsible disclosure is committed, and the researcher will not publicly disclose the vulnerability until it has been appropriately addressed.
Contact Information:
Preferred Communication Method: [email protected]
Timeline:
Discovery Date: 08/01/2024
|
|---|
| Source | ⚠️ https://drive.google.com/file/d/1SaHrOPMV6yrBaS5pA7MOX8nsiVGxvlOa/view?usp=sharing |
|---|
| User | ABHISHEK K.A (UID 61005) |
|---|
| Submission | 01/09/2024 07:57 (2 years ago) |
|---|
| Moderation | 01/11/2024 13:22 (2 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 250442 [CodeAstro Online Food Ordering System 1.0 dishes.php res_id cross site scripting] |
|---|
| Points | 0 |
|---|