SourceCodester Garage Management System createUser.php cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Garage Management System version 1.0. The issue resides in the /php_action/createUser.php file, where the userName parameter is not properly sanitized before being stored. An attacker can inject arbitrary HTML and JavaScript code, which will be executed when the stored data is rendered in the application. The vulnerability is classified as problematic and has been publicly disclosed [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to /php_action/createUser.php with a malicious payload in the userName field. The request does not require authentication if the user creation functionality is accessible, but the reference shows a session cookie indicating that an authenticated user with user creation privileges can trigger the XSS. The payload, such as lala, is stored in the database and executed when an administrator or other user views the user list or profile [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information, or further attacks against the application. The impact is limited to the browser session of users who view the affected user data, but it can be used to compromise administrative accounts if an admin views the malicious entry [1].

Mitigation

As of the publication date (2022-07-29), no official patch has been released by the vendor. Users should apply input validation and output encoding to the userName parameter. Specifically, sanitize user input to remove or escape HTML tags before storing and rendering. Until a fix is available, restrict access to the user creation functionality to trusted users only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].