PHPGurukul Notice Board System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Notice Board System version 1.0. The issue arises in the 'Add Notice' component within the admin panel, specifically in the '/admin/manage-notices.php' file. The vulnerability allows for the injection of malicious JavaScript into the 'Notice Title' and 'Notice Description' fields. This injected script is executed when the notices are viewed, potentially leading to unauthorized actions such as hijacking admin sessions or phishing attacks.

Impact

Exploitation of this vulnerability allows for arbitrary execution of JavaScript in the context of the affected user, which could include an admin. This could lead to session hijacking, phishing attacks, or a full compromise of the user's account.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the 'Add Notice' section. Enter a JavaScript payload, such as an image tag with an 'onerror' event, into the 'Notice Title' and 'Notice Description' fields. After submitting the form, the injected script will execute when the notice is viewed in the 'Manage Notices' section or on the dashboard.

Remediation

It is recommended to sanitize user input before storing it, using functions like 'htmlspecialchars' to encode special characters. Additionally, consider implementing server-side HTML filtering with libraries such as HTMLPurifier. Setting a strong Content Security Policy (CSP) header and validating input length and content before storage can also help mitigate this vulnerability.