PHPGurukul News Portal Unrestricted File Upload Vulnerability Allowing Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in PHPGurukul News Portal version 1.0. This issue arises from unrestricted file uploads in the Profile Pic Handler component, allowing authenticated users to upload malicious SVG files. The application fails to validate or sanitize file types, particularly for SVGs, which can contain embedded JavaScript. When these files are accessed through various admin and subadmin profile management pages, the JavaScript executes in the context of the user viewing the profile, potentially leading to session hijacking and account compromise.

Impact

Exploiting this vulnerability allows for stored cross-site scripting, where uploaded SVG files with embedded JavaScript are executed when the profile is viewed, including by administrators.

Reproduction

To reproduce this vulnerability, log in as an admin or subadmin and navigate to the profile upload sections. Upload a malicious SVG file through the profile picture upload feature. For subadmin, the XSS can be triggered by opening the uploaded image in a new tab.

Remediation

It is recommended to implement file type validations, particularly for disallowing SVG, HTML, and similar file types. Additionally, uploaded files should be sanitized to remove any scripts or event handlers before being served.