Glamour Salon Management System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Glamour Salon Management System version 1, developed by Hiruna Gallage. The issue is located in the 'blog-details.php' file, specifically on line 65. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML into the blog comment section, which is not properly sanitized before being displayed. As a result, malicious JavaScript can be executed in the browsers of users who view the affected page.

Impact

Exploitation of this vulnerability allows attackers to execute malicious JavaScript in the context of the victim's browser. This could lead to impersonating the user, capturing login credentials, performing actions on behalf of the user, or injecting malicious functionality into the website.

Reproduction

To reproduce this vulnerability, navigate to the blog comment section of the Glamour Salon Management System. Submit a comment containing a script tag, such as one that triggers a JavaScript alert. After posting the comment, refresh the page to see the injected script execute in the browser.

Remediation

To address this vulnerability, input sanitization should be implemented in the 'blog-details.php' file. Using PHP's 'htmlspecialchars()' function can encode special characters into HTML entities, preventing the execution of injected scripts.