PHPGurukul Apartment Visitors Management System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in PHPGurukul Apartment Visitors Management System version 1.0. The issue arises in the file '/search-visitor.php', where the 'searchdata' parameter, submitted via POST request, is not properly sanitized or encoded before being displayed. This flaw allows attackers to inject malicious JavaScript that executes in the user's browser. The vulnerability can be exploited remotely, without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to the theft of cookies or session tokens, execution of cross-site request forgery (CSRF) attacks, privilege escalation if an admin views the injected content, and redirection of users to malicious sites.

Reproduction

To reproduce this vulnerability, send a POST request to '/avms/search-visitor.php' with a 'searchdata' parameter containing the injected script, such as a JavaScript alert. This can be done using a tool like Burp Suite or through a simple HTML form that submits to the vulnerable endpoint.

Remediation

It is recommended to implement proper output encoding, input validation, and to apply a Content Security Policy (CSP) to mitigate this vulnerability.