Code-Projects Home Service System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Home Service System version 1.0. The issue resides in the Appointment Booking component, specifically within the booking.php file. The vulnerability is triggered by manipulating the fname and lname parameters, allowing remote, unauthenticated attackers to inject malicious JavaScript. This injected script is executed in the context of the administrator's browser when they access the Manage Booking section in admin.php. The exploitation of this vulnerability could lead to the theft of the admin session cookie, allowing the attacker to take over the admin account and perform administrative actions.

Impact

Exploitation of this vulnerability allows for complete administrative account takeover. The injected script executes in the admin's browser, stealing the session cookie and hijacking the admin session, thereby granting full access to the admin panel and its functionalities.

Reproduction

To reproduce this vulnerability, navigate to the booking page as an unauthenticated user. Inject a script payload into the 'First Name' field, using a valid 'Last Name' and other required fields. After submitting the form, the payload will be executed when an administrator visits the 'Manage Booking' section in the admin panel.

Remediation

It is recommended to sanitize user inputs by applying htmlspecialchars() with ENT_QUOTES before storing or rendering them. Additionally, implementing a Content Security Policy (CSP) header and validating all form inputs on the server side can help mitigate this vulnerability.