Projectworlds Gate Pass Management System Cross-Site Scripting Vulnerability

A critical persistent cross-site scripting (XSS) vulnerability has been identified in Projectworlds Gate Pass Management System version 1.0. The issue resides in the file '/add-pass.php', where user input is not properly sanitized before being saved to the database. This allows authenticated attackers to inject malicious scripts that are executed in the browsers of users who view the affected pages, including administrators.

Impact

Exploitation of this vulnerability allows for session hijacking by stealing cookies from other users, including admins, which can be used to impersonate them. It also enables unauthorized actions on behalf of the victim, such as creating admin accounts or deleting passes. Additionally, injected scripts could log keystrokes or deface the website.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Pass' page. Insert a JavaScript payload, such as an image tag with an 'onerror' event, into the 'Full Name' or 'Reason' fields. After submitting the form, the payload will be stored in the database. To execute the script, go to a page that displays the pass details, such as 'Manage Passes' or 'View Pass Detail'. The injected script will run in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Output from user-controlled data should always be encoded before being displayed in HTML. In the affected files, use the 'htmlspecialchars()' function to convert special characters into HTML entities, preventing the browser from interpreting them as code.