Code-Projects BloodBank Managing System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects BloodBank Managing System version 1.0. The issue resides in the administrative file '/admin_state.php', specifically within the state management feature. The vulnerability is triggered by the 'statename' parameter, which is accepted via an HTTP POST request. The application fails to properly validate or sanitize this input before storing it in the database. As a result, malicious HTML or JavaScript can be injected and executed in the browsers of users who view the affected page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to session cookie theft, hijacking of administrator sessions, unauthorized actions within the application, injection of malicious content into the administrative interface, or phishing attacks against application users. Since the injected payload is stored in the database, all users who access the compromised page are affected.

Reproduction

To reproduce this vulnerability, install Blood Bank Managing System in PHP and log into the administrative panel. Navigate to the State Management page and intercept the request to add a new state using a proxy tool like Burp Suite. Insert a payload, such as a JavaScript prompt injection, into the 'statename' parameter and submit the request. Finally, open the state list page to observe the executed payload, confirming the successful exploitation of the vulnerability.

Remediation

It is recommended to encode user-controlled data before rendering it in HTML responses, validate and sanitize input before database storage, and implement a Content Security Policy to mitigate script execution risks.