SourceCodester Leave Application System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in SourceCodester Leave Application System version 1.0. The issue arises from the User Management Handler component, which fails to properly sanitize user input in several fields, including those for adding employees and users. This lack of input validation allows attackers to inject malicious JavaScript that is stored in the database and executed when the affected page is viewed by other users. The vulnerability can be exploited remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript code in the context of the user viewing the affected page. This could lead to hijacking of administrator sessions, performing unauthorized actions on behalf of users, or stealing sensitive information. In a real-world scenario, this vulnerability could result in account takeover or privilege escalation.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the 'Add Employee' or 'Add User' section. Insert a payload, such as an image tag with an 'onerror' event, into an input field and save the record. Then, go to the listing page where the stored data is displayed. The injected JavaScript will execute automatically when the page is loaded.

Remediation

It is recommended to properly sanitize all user input before displaying it in the browser. Example sanitization methods include using functions like 'htmlspecialchars' in PHP to encode special characters.