SourceCodester Patients Waiting Area Queue Management System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Patients Waiting Area Queue Management System version 1.0. The issue resides in the Patient Registration Module, specifically within the registration.php file. The vulnerability is triggered by manipulating the First Name input field, which accepts unvalidated raw HTML and JavaScript. This injected content is then stored in the database and executed when the corresponding patient record is accessed through the Patient Search interface.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the patient record. This could lead to unauthorized actions being performed on behalf of the user, such as accessing sensitive patient information, compromising user accounts, or manipulating patient data. In a healthcare setting, such actions could have serious privacy and regulatory implications.

Reproduction

To reproduce this vulnerability, access the New Patient Registration page and enter a payload, such as an image tag with an 'onerror' event, into the First Name field. After filling in the required information and completing the registration, navigate to the Patient Search page and look up the newly created patient record. The injected script will execute automatically, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, implement proper input validation and output encoding before displaying user-generated content. Additionally, consider using a Content Security Policy to restrict the execution of scripts. Periodic security audits and code reviews can also help identify and mitigate such vulnerabilities.