Code-Projects Public Chat Room Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Public Chat Room version 1.0. The issue arises in the file '/send_message.php', where user input from the 'chat_msg' and 'your_name' arguments is not properly sanitized before being displayed. This lack of input validation allows attackers to inject malicious scripts that are executed in the browsers of users who view the chat messages.

Impact

Exploitation of this vulnerability allows for the injection of JavaScript into chat messages, which can be executed in the context of the user's session. This could lead to theft of session cookies or authentication information, hijacking of user sessions, or impersonation of users.

Reproduction

To reproduce this vulnerability, send a POST request to '/chat/send_message.php' with a payload in the 'msg' parameter that includes a script tag, such as '<script>alert("XSS")</script>'. This message will be stored and executed when other users view the chat.

Remediation

It is recommended to escape all user-generated content using HTML entities before rendering it, and to implement input sanitization to prevent the submission of HTML or JavaScript.