SourceCodester Zoo Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Zoo Management System version 1.0. The issue resides in the administration panel, specifically within the file '/admin/templates/animal_form_template.php'. The vulnerability is triggered by manipulating the 'msg' URL parameter, which is reflected in the page output without proper sanitization. This flaw allows attackers to inject arbitrary JavaScript that executes in the context of the victim's browser session. The vulnerability can be exploited remotely, without authentication, by tricking a user into clicking a malicious link.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session, potentially leading to session hijacking, unauthorized actions, data theft, or malware distribution.

Reproduction

To reproduce this vulnerability, send a request to '/admin/templates/animal_form_template.php' with the 'msg' parameter containing unsanitized JavaScript, such as a script tag with an alert command. This can be done by crafting a URL that includes the malicious script in the 'msg' parameter and then visiting that URL.

Remediation

It is recommended to implement input validation to reject special characters, use an allow-list approach, and apply output encoding techniques such as 'htmlspecialchars()' or 'htmlentities()'. Additionally, security headers like 'Content-Security-Policy' and 'X-XSS-Protection' should be utilized, along with regular security testing.