PHPGurukul Park Ticketing Management System HTML Injection Vulnerability in Foreigner Search

A HTML injection vulnerability has been identified in the foreigner-search.php file of PHPGurukul Park Ticketing Management System version 2.0. This vulnerability allows remote attackers to execute arbitrary code by injecting HTML into the searchdata POST request parameter.

Impact

Exploitation of this vulnerability could lead to HTML injection, allowing for cross-site scripting (XSS) attacks, session hijacking, and user interface spoofing.

Reproduction

To reproduce this vulnerability, log into the admin panel of the Park Ticketing Management System. Navigate to the 'Search' section and select 'Foreigners Ticket Search'. Intercept the search request using Burp Suite, and inject a payload into the 'searchdata' parameter. Send the modified request, and the injected HTML will be rendered on the page, confirming the vulnerability.

Remediation

It is recommended to implement strict input validation to filter out malicious payloads, encode output to prevent the execution of HTML or JavaScript, and deploy Content Security Policy (CSP) headers to mitigate injection risks.