School Management System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the School Management System version 1.0, developed by manikandan580. The issue resides in the contact-us.php file within the admin section, where the email POST parameter is improperly sanitized before being reflected in the response. This flaw allows attackers to inject arbitrary JavaScript that could be executed in the browsers of administrators handling the affected form.

Impact

Exploitation of this vulnerability could lead to the theft of administrator session cookies and authentication tokens, especially if those cookies are not marked as HttpOnly. Additionally, an attacker could gain full administrative control over the application, performing any actions that an admin can.

Reproduction

To reproduce this vulnerability, send a POST request to the /studentms/admin/contact-us.php endpoint with a crafted email parameter that includes JavaScript payloads, such as <script> tags. The injected script will be executed in the context of the admin's browser.

Remediation

To address this vulnerability, output encoding should be applied by using htmlspecialchars() to escape the email value before it is echoed into the HTML response. Additionally, server-side validation of the email field against an RFC-compliant regular expression is recommended to reject non-conforming values. Implementing a Content Security Policy to block inline script execution, hardening admin session cookies with HttpOnly and SameSite attributes, and sanitizing user input by stripping or encoding HTML special characters can further mitigate the risk.