Code-Projects Social Networking Site Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Social Networking Site version 1.0. The issue arises in the Alert Handler component, specifically within the home.php file. The vulnerability allows for the injection of malicious scripts into the post content, which are then executed when other users view the feed. This exploitation is possible because the application fails to properly sanitize user input before it is stored in the database and displayed on the website.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to session hijacking, cookie theft, and unauthorized actions performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log into the application and create a post. Insert a payload, such as a details element with an ontoggle event, into the content field. Once the post is published, navigate to the feed page where the post is displayed. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement input validation and output encoding for user-generated content. Additionally, a Content Security Policy can be applied to mitigate the risk of script execution.