Kashipara Computer Base Test Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Kashipara Computer Base Test version 1.0. The issue resides in the 'home.php' file within the admin panel feedback section. Attackers can inject malicious scripts through the 'smyFeedbacks' POST parameter, which are then stored and executed when the feedback is accessed.

Impact

Exploitation allows for session hijacking by stealing admin cookies or session tokens, and could also be used to inject phishing forms, deface content, or distribute malware by redirecting users to malicious sites.

Reproduction

To reproduce this vulnerability, log in as a student and navigate to the 'Add Feedback' section. Intercept the POST request using Burp Suite and modify the 'smyFeedbacks' parameter to include a script payload, such as an alert script. After sending the request, log in as an admin and go to the 'All Feedbacks' page to observe the executed script, which confirms the successful exploitation of the XSS vulnerability.

Remediation

To address this vulnerability, input sanitization should be implemented using libraries like 'htmlspecialchars()' or DOMPurify to neutralize HTML and JavaScript in user inputs. Additionally, a Content Security Policy (CSP) should be established to restrict inline scripts and unauthorized sources. Output encoding is crucial before rendering dynamic content, and modern PHP frameworks with built-in XSS protections can be leveraged.