1000projects Online Project Report Submission and Evaluation System Cross-Site Scripting Vulnerability in v1.0

A cross-site scripting (XSS) vulnerability has been identified in the 1000projects Online Project Report Submission and Evaluation System version 1.0. The issue resides in the file '/admin/add_student.php', where the 'address' parameter is manipulated, allowing attackers to inject malicious scripts. This vulnerability can be exploited remotely, without any authentication, although it requires user interaction.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to the theft of cookies, session tokens, or other sensitive information, and allow attackers to perform actions on behalf of the user, deface web pages, or redirect users to malicious sites.

Reproduction

To reproduce this vulnerability, send a request to '/rse/admin/add_student.php' with the 'address' parameter containing a script payload, such as a JavaScript alert. This can be done using a tool that automates the injection of the script into the parameter, mimicking a user's interaction with the application.

Remediation

It is recommended to encode user input before outputting it to the web page, validate and filter input data to reject or escape potentially malicious content, implement a strict Content Security Policy (CSP), set secure and HttpOnly flags for sensitive cookies, and conduct regular security audits to identify and fix XSS vulnerabilities.