PHPGurukul Rail Pass Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Rail Pass Management System version 1.0. The issue resides in the admin/aboutus.php file, where the 'pagedes' parameter is not properly sanitized before being output. This flaw allows attackers to inject malicious JavaScript that executes in the context of the user's browser, potentially stealing cookies and session information. The vulnerability can be exploited remotely, but requires authentication and user interaction.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application as an admin and navigate to the 'About Us' section under the admin management panel. Once there, the 'pagedes' parameter can be manipulated by injecting a script, such as one that alerts the document cookies. After submitting the injection, the script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement context-aware output encoding, apply input validation and sanitization, secure session cookies by marking them as HttpOnly and Secure, and utilize framework protections if available.