Edoc Doctor Appointment System Cross-Site Scripting Vulnerability in Session Management

A cross-site scripting (XSS) vulnerability has been identified in the Edoc Doctor Appointment System version 1.0.1. The issue resides in the admin/add-session.php file, where user input in the 'title' parameter is not properly sanitized before being stored in the database. This allows for the injection of malicious HTML, which is executed when the session is viewed by an admin, doctor, or patient. To exploit this vulnerability, an admin must create a session and inject a payload that redirects to an attacker-controlled site.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the session.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Add a session' page. Capture the request to 'admin/add-session.php' and inject a payload into the 'title' parameter that includes a meta tag for redirection. After submitting the request, the injected payload will be executed when the session is viewed.

Remediation

To address this vulnerability, sanitize the 'title' input by removing HTML tags and escaping output before rendering it in the HTML context. Consider using a library like HTMLPurifier if rich text input is necessary.