PHPGurukul Online Course Registration Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in PHPGurukul Online Course Registration versions through 3.1. This vulnerability allows students to upload malicious files that execute JavaScript when administrators view or edit student profiles. The issue arises from the application's failure to validate uploaded file types and sanitize content, permitting the upload of harmful SVG or HTML files. Once an administrator accesses the student management interface, the malicious file is rendered, executing the embedded JavaScript in the admin's browser. This could lead to session hijacking and unauthorized actions with administrative privileges.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious files execute JavaScript in the context of an administrator's browser. This could result in session hijacking, enabling an attacker to perform actions as the administrator, such as creating new admin accounts or accessing sensitive student data.

Reproduction

To reproduce this vulnerability, log in as a student and navigate to the 'My Profile' page. Upload a malicious SVG file under the 'Upload New Photo' section. Once the file is uploaded, log in as an administrator and go to the 'Manage Students' tab. Edit the profile of the student who uploaded the malicious file. The uploaded SVG will be rendered, and the JavaScript payload will execute.

Remediation

It is recommended to implement file type validation to disallow dangerous formats such as SVG and HTML. Uploaded files should be served safely, ideally from a separate domain, and with appropriate HTTP headers to prevent content type misinterpretation. Additionally, a Content Security Policy should be applied to restrict script execution.