Code-Projects Chat System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Code-Projects Chat System version 1.0. This issue arises in the chat interface, specifically within the admin send message functionality. The vulnerability allows for the injection of malicious scripts through the message parameter, which are then executed when the chatroom is accessed. This exploitation can be performed remotely by any registered user with a valid session.

Impact

Exploitation of this vulnerability allows for the injection of scripts that are executed in the context of the user viewing the chatroom. This can lead to session hijacking, as cookies are exposed to the attacker. Additionally, the vulnerability could be used to perform actions as an administrator, redirect users to malicious sites, or even propagate a worm that spreads the XSS payload to other users.

Reproduction

To reproduce this vulnerability, send a POST request to '/admin/send_message.php' with a script injection in the 'msg' parameter. Ensure that the 'id' parameter is also included to specify the chatroom. Once the message is sent, the injected script will execute when the chatroom is accessed.

Remediation

It is recommended to sanitize and validate input before storing it in the database, escape output when rendering messages, and implement a Content Security Policy to restrict script execution.