PHPGurukul Time Table Generator System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Time Table Generator System version 1.0. The issue resides in the adminname parameter of the file /admin/profile.php. This vulnerability allows the injection of malicious JavaScript, which is executed when an admin views their profile. The attack can be conducted remotely, requiring user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an admin views the injected content, and exfiltration of sensitive data or redirection to malicious websites.

Reproduction

To reproduce this vulnerability, send a POST request to /ttg/admin/profile.php with the adminname parameter containing the injected JavaScript. Include the necessary headers to simulate a legitimate request, such as User-Agent and Referer. After the injection, the malicious script will execute when the admin views their profile.

Remediation

It is recommended to implement output encoding, input validation, and to apply a Content Security Policy (CSP). Using a sanitizer to clean user inputs before rendering them can also help mitigate this vulnerability.