Code-Projects Online Food Ordering System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Online Food Ordering System version 1.0. The issue resides in the name parameter of the /dbfood/contact.php file. This vulnerability allows for the injection of malicious JavaScript, which is executed when the stored contact message is viewed. The flaw arises from inadequate input sanitization and output encoding, enabling injected scripts to run in the context of the user's browser session.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, theft of authentication cookies, unauthorized actions on behalf of authenticated users, or the injection of malicious content into the application interface.

Reproduction

To reproduce this vulnerability, install and run the Online Food Ordering System in PHP application. Navigate to the Contact page and submit a message with a JavaScript payload in the name parameter. Once the message is saved, access the administrative interface or any page where contact messages are displayed. The injected script will execute automatically, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to properly sanitize and validate user input before storing it in the database. Additionally, implement output encoding to escape user-controlled data before rendering it in HTML. Regular security testing should be conducted to identify and address such vulnerabilities.