PHPGurukul Car Rental Project Cross-Site Scripting Vulnerability in Search.php

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Car Rental Project version 3.0. The issue resides in the file '/carrental/search.php', where the 'autofocus' parameter is not properly sanitized before being outputted. This flaw allows remote attackers to inject and execute malicious scripts in the context of the victim's browser. The vulnerability could impact both unauthenticated users and authenticated users, including administrators.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to '/carrental/search.php' with the 'autofocus' parameter manipulated to include a script payload, such as an alert() function. This can be done using a web browser or a tool like Burp Suite.

Remediation

It is recommended to implement proper input validation and output encoding for user-controlled data. Additionally, a Content Security Policy (CSP) can be used to restrict the sources from which scripts can be executed.