1000projects Online Project Report Submission and Evaluation System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in version 1.0 of the 1000projects Online Project Report Submission and Evaluation System. The issue resides in the file '/admin/add_title.php', where the 'title' parameter can be manipulated to inject malicious script code. This injected script is then output to the web page without proper encoding or filtering, allowing execution of arbitrary scripts in the context of the user's browser. The vulnerability can be exploited remotely, without any authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows attackers to execute scripts in the context of the victim's browser. This could lead to theft of cookies, session tokens, or other sensitive information, performing actions on behalf of the victim, defacing web pages, redirecting users to malicious sites, and potentially gaining control over the victim's browser.

Reproduction

To reproduce this vulnerability, send a POST request to '/rse/admin/add_title.php' with the 'title' parameter containing a script tag, such as '<script>alert("XSS")</script>'. This will trigger the cross-site scripting vulnerability by executing the injected script in the browser.

Remediation

It is recommended to encode user input before outputting it to the web page, validate and filter input data to reject or escape potentially malicious content, implement a strict Content Security Policy (CSP), set secure and HttpOnly flags for sensitive cookies, and conduct regular security audits to identify and fix XSS vulnerabilities.