PHPGurukul Taxi Stand Management System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in PHPGurukul Taxi Stand Management System version 1.0. The issue resides in the file '/search.php', specifically within the 'searchdata' parameter. This vulnerability allows remote attackers to inject malicious JavaScript, which is then executed in the context of the user's browser. The lack of proper input sanitization before outputting data to users creates this security flaw.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser. This could lead to the theft of session tokens or sensitive information, redirection to malicious websites, phishing attacks, or the bypassing of client-side security measures.

Reproduction

To reproduce this vulnerability, send a POST request to '/atsms/search.php' with a 'searchdata' parameter containing a script payload, such as a JavaScript alert. The injected script will execute as soon as the page is loaded, demonstrating the cross-site scripting flaw.

Remediation

It is recommended to sanitize cookie values before using them in HTML output, employ proper output encoding for user-controlled data, and apply a Content Security Policy to mitigate script execution. Avoid reflecting cookie values in the frontend unless absolutely necessary.