code-projects Simple Car Rental System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in code-projects Simple Car Rental System version 1.0. The issue resides in the file /admin/add_vehicles.php, where the car_name parameter is not properly sanitized before being stored in the database. This lack of input validation allows attackers to inject malicious JavaScript, which is executed when the data is viewed by users, such as administrators.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the vehicle list, potentially leading to session hijacking, data theft, or unauthorized actions.

Reproduction

To reproduce this vulnerability, first log into the application and navigate to the /admin/add_cars.php page. Inject a script payload into the car_name field, such as a simple alert script, and submit the form. Once the payload is stored in the database, go to the /admin/add_vehicles.php page. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement proper input validation for the car_name parameter to restrict the length and character set before storing it in the database. Additionally, apply HTML entity encoding when outputting data to prevent script execution. Setting a Content Security Policy (CSP) can also provide an extra layer of protection by controlling which scripts can be executed in the browser.