SourceCodester Best House Rental Management System Manage Tenant Details index.php cross site scripting

Vulnerability

The Best House Rental Management System 1.0 from SourceCodester is vulnerable to stored cross-site scripting (XSS) in the Manage Tenant Details functionality. The application fails to sanitize the Last Name, First Name, and Middle Name parameters when submitted via POST to /index.php?page=tenants. This allows an attacker to inject arbitrary scripts that are stored and executed when any user visits the tenants page. The vulnerability affects version 1.0 of the software.

Exploitation

An attacker can remotely exploit this vulnerability by submitting a crafted payload in the Last Name, First Name, or Middle Name fields while adding or editing a tenant. The attacker needs network access to the vulnerable endpoint and can perform the attack without authentication if the tenant management page is publicly accessible. The payload is stored in the database and triggers when an administrator or user views the tenants list, as demonstrated in the proof of concept provided by the researcher [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, website defacement, or redirection to malicious sites. The impact is limited to the browser session of users who view the affected tenant details, but can result in further compromise if administrative sessions are hijacked.

Mitigation

As of the publication date (2024-10-24), no official patch has been released by SourceCodester. Users should implement input validation and output encoding for all name fields. A web application firewall (WAF) can be used to block malicious inputs. Since the exploit has been publicly disclosed, organizations using this software should apply safeguards immediately until a vendor fix is available.