system description

🎓 PHP Education Manager – All-in-one platform for schools & colleges! 📚 Courses | 👨‍🎓 Students | 📂 Resources | 🛠 Admin Panel Simple, smart & scalable education system powered by PHP! 🚀💡

Github address:https://github.com/Iqbolshoh/php-education-management

Vulnerability Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the topics management module (topics.php). Attackers can inject malicious JavaScript payloads into the Titlefield during topic creation or updates. These payloads are stored in the database and executed in administrators' browsers when they view the topics list, enabling session hijacking or unauthorized administrative actions.

vulnerability analysis

The vulnerability originates from two critical flaws in topics.php:

Unsanitized Database Insertion/Update

User input from $_POST['title']is directly stored in the database without sanitization:

image.png

This allows arbitrary HTML/JavaScript payloads like </h3><script>alert(1);</script>to be persisted in the lessonstable.

Unescaped Output Rendering When displaying topics, the title is output without escaping:

image.png

This renders malicious payloads as executable HTML.

Recurrence of vulnerabilities

Payload submitted during topic creation:

POST /admin/topics.php HTTP/1.1
Host: www.education.eek
Content-Length: 84
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=57kdtsvhunk04n4n9u0lbh86vf
Connection: keep-alive

title=%3C%2Fh3%3E%3Cscript%3Ealert%281231%29%3B%3C%2Fscript%3E&description=1&insert=

When admins load topics.php, the script executes:

image.png