PHPGurukul Park Ticketing Management System Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in PHPGurukul Park Ticketing Management System version 2.0, specifically within the 'foreigner-bwdates-reports-details.php' file. This vulnerability allows remote attackers to inject arbitrary JavaScript by manipulating the 'fromdate' and 'todate' parameters in a POST request. The injected script is executed in the context of the user's browser, potentially leading to malicious actions such as cookie theft or session hijacking.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting, where injected scripts are executed in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the 'Report' section. Select 'Foreigners People Report' and intercept the POST request using Burp Suite. Inject a script payload into the 'fromdate' and 'todate' parameters, then observe that the injected script executes when the page renders the input.

Remediation

It is recommended to implement input validation and output encoding for user-supplied data. Security libraries like HTMLPurifier can be used to sanitize inputs. Following OWASP guidelines for XSS prevention is also advised.