#Projectworlds Online Project Report Submission and Evaluation System Project V1.0 /rse/admin/add_title.php cross site scripting #14
Description
#Projectworlds Online Project Report Submission and Evaluation System Project V1.0 /rse/admin/add_title.php cross site scripting
title OF AFFECTED PRODUCT(S)
- Online Project Report Submission and Evaluation System
Vendor Homepage
- 1000projects.org
#AFFECTED AND/OR FIXED VERSION(S)
submitter
- USTC-l1nk
Vulnerable File
- /rse/admin/add_title.php
VERSION(S)
- V1.0
Software Link
#PROBLEM TYPE
Vulnerability Type
- XSS
Root Cause
-
An XSS vulnerability was found in the ' /rse/admin/add_title.php' file of the 'Online Project Report Submission and Evaluation System' project. The reason for this issue is that attackers inject malicious script code from the parameter 'title' and the system outputs the user input directly to the web page without appropriate encoding or filtering. This allows attackers to execute arbitrary script code in the victim's browser, thereby performing unauthorized operations.
Impact -
Attackers can exploit this XSS vulnerability to steal cookies, session tokens, or other sensitive information of the victim, perform actions on behalf of the victim, deface web pages, redirect users to malicious websites, and even gain control of the victim's browser, posing a serious threat to user privacy and system security.
titleRIPTION -
During the security review of "Online Project Report Submission and Evaluation System", I discovered a critical XSS vulnerability in the " /rse/admin/add_title.php" file. This vulnerability stems from insufficient user input validation and output encoding of the 'title' parameter, allowing attackers to inject malicious script code. Therefore, attackers can execute arbitrary scripts in the victim's browser, steal sensitive information, and perform operations on behalf of the victim. Immediate remedial measures are needed to ensure system security and protect user data.
No login or authorization is required to exploit this vulnerability
##Vulnerability details and POC
Vulnerability location:
- 'title' parameter
Payload:
<script>alert('XSS')</script>The following are screenshots of some specific information obtained from testing and running with the relevant tool:
"http://10.20.33.16 /rse/admin/add_title.php" --data="batch=2019&title=<script>alert('XSS')</script>&desc=111&add=add" 
##Suggested repair
1.Output encoding:
Encode user input when outputting it to the web page. Different contexts (such as HTML, JavaScript, CSS, URL) require different encoding methods to ensure that the input is treated as pure text and not executed as code.
2.Input validation and filtering:
Strictly validate and filter user input data. Only allow input that conforms to the expected format and reject or escape any potentially malicious content, such as script tags, event handlers, etc.
3.Use Content Security Policy (CSP):
Implement a strict CSP to restrict the sources of scripts that can be executed on the web page, preventing the execution of unauthorized inline scripts and external scripts.
4.Set secure and HttpOnly flags for cookies:
For sensitive cookies (such as session cookies), set the HttpOnly flag to prevent access via JavaScript, and set the Secure flag to ensure they are only transmitted over HTTPS, reducing the risk of cookie theft.
5.Regular security audits:
Regularly conduct code and system security audits to promptly identify and fix potential XSS vulnerabilities and other security issues.