Code-Projects Tourism Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Tourism Management System version 1.0. The issue arises in the file '/admin/manage-pages.php', where the 'pgedetails' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript. This injected script is executed when the affected page is viewed, potentially leading to the theft of sensitive information such as cookies and session tokens, and allowing attackers to perform actions on behalf of other users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, log into the application as an admin and navigate to '/admin/manage-pages.php'. Select any page for editing and enter arbitrary details in the 'Package Details' field. Capture the request with Burp Suite, then modify the 'pgedetails' parameter to include a malicious payload, such as a script tag with JavaScript code, such as an alert. Submit the modified request, then navigate to '/page.php?type=[malicious-page]' to see the injected script execute.

Remediation

To address this vulnerability, sanitize output using functions like 'htmlentities()' or 'htmlspecialchars()' with 'ENT_QUOTES' to encode HTML special characters. Validate and sanitize user input on both client-side and server-side to reject malicious scripts. Implement a Content Security Policy to mitigate the impact of potential XSS attacks.