itsourcecode Fees Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the itsourcecode Fees Management System version 1.0. The issue arises in the index.php file, where user-supplied input through the 'page' parameter is not properly sanitized before being reflected in the output. This flaw allows attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability can be exploited remotely without authentication, simply by convincing a user to click on a malicious link.

Impact

Exploitation of this vulnerability allows for session hijacking, unauthorized actions, data theft, and distribution of malware.

Reproduction

To reproduce this vulnerability, send a request to 'index.php' with a crafted 'page' parameter that includes JavaScript payloads, such as an alert script. The injected script will execute in the browser, demonstrating the XSS vulnerability.

Remediation

To address this vulnerability, implement input validation to reject special characters and adopt an allow-list approach. Output encoding should be applied using functions like htmlspecialchars() or htmlentities(). Additionally, consider adding security headers such as Content-Security-Policy and X-XSS-Protection.