Code-Projects Simple ChatBox Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Simple ChatBox version 1.0. The issue resides in the chat message handling functionality, specifically within the file '/chatbox/insert.php'. The vulnerability allows for the injection of malicious scripts through the 'msg' parameter via an HTTP GET request. User input is not properly validated or sanitized before being stored and later displayed in the chat interface, enabling the execution of injected JavaScript in the context of the user viewing the chat.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the affected user, potentially leading to session hijacking, cookie theft, and unauthorized actions performed on behalf of the user. Additionally, injected content persists in the chat, affecting all users who view it.

Reproduction

To reproduce this vulnerability, install the Simple ChatBox application in PHP. Once installed, open the chat interface and intercept or manually craft a request to the '/chatbox/insert.php' endpoint. Inject a script payload into the 'msg' parameter, such as a JavaScript alert script. After sending the request, reload the chat interface to see the injected script execute, demonstrating the stored cross-site scripting vulnerability.

Remediation

Sanitize user input before storing it and implement proper output encoding before rendering data in HTML. Additionally, consider applying a Content Security Policy to mitigate the impact of any executed scripts.