CultBooking 2.0.4 (cultbooking.php) Multiple XSS/PD Vulnerabilities

Title: CultBooking 2.0.4 (cultbooking.php) Multiple XSS/PD Vulnerabilities
Advisory ID: ZSL-2011-4987
Type: Remote
Impact: Cross-Site Scripting, Exposure of System Information
Risk: (3/5)
Release Date: 22.01.2011
Summary
Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.
Description
CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when parsing user input to the 'bookingcode', 'email' and 'lang' parameter via POST and GET methods in cultbooking.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Cultuzz Digital Media GmbH - http://www.cultuzz.com
Affected Version
2.0.4
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[16.01.2011] Vulnerability discovered.
[16.01.2011] Initial contact with the vendor.
[20.01.2011] No response from vendor.
[22.01.2011] Public advisory released.
[07.02.2011] Vendor releases version 2.0.5 to address this issue.
PoC
cultbooking_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/16028/
[2] http://www.exploit-db.com/ghdb/3677/
[3] http://secunia.com/advisories/43036/
[4] http://www.securityfocus.com/bid/45965
[5] http://securityreason.com/exploitalert/9871
[6] http://securityreason.com/exploitalert/9876
[7] http://packetstormsecurity.org/files/97804
[8] http://osvdb.org/show/osvdb/70631
[9] http://xforce.iss.net/xforce/xfdb/64854
Changelog
[22.01.2011] - Initial release
[24.01.2011] - Added reference [3] and [4]
[25.01.2011] - Added reference [5], [6] and [7]
[26.01.2011] - Added reference [8]
[27.01.2011] - Added reference [9]
[07.02.2011] - Updated vendor status
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk