Phpgurukul Vehicle Record Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Phpgurukul Vehicle Record Management System version 1.0. The issue resides in the admin profile component, specifically within the mobile number parameter. This vulnerability allows attackers to inject arbitrary web scripts or HTML, which are then executed in the context of the user's browser. The application fails to sanitize or validate the mobile number input before storing it in the database, enabling the execution of injected scripts whenever the profile page is accessed.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user viewing the profile page. This could lead to session hijacking, as the script could steal cookies and impersonate the user. Additionally, if an admin's session is hijacked, the attacker could perform actions on behalf of the admin. The vulnerability also poses a risk of information disclosure, as sensitive data from the admin dashboard could be exfiltrated. Furthermore, the injected script could redirect users to attacker-controlled sites or cause a denial-of-service by disrupting the application's user interface.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Vehicle Record Management System. Navigate to the profile page and enter a script payload into the mobile number field. After updating the profile, reload the page to see the script execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement strict validation for numeric inputs, ensuring that only valid mobile number formats are accepted. Additionally, encode output before rendering it on the page to prevent script execution. Other recommended measures include adding a Content Security Policy header, applying server-side input length restrictions, and using client-side input types or patterns as an initial defense.