← Advisories

CultBooking 2.0.4 (cultbooking.php) Multiple XSS/PD Vulnerabilities

Medium
Advisory ID
ZSL-2011-4987
Release Date
22 January 2011
Vendor
Cultuzz Digital Media GmbH - http://www.cultuzz.com
Affected Version
2.0.4
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.

Description

CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when parsing user input to the 'bookingcode', 'email' and 'lang' parameter via POST and GET methods in cultbooking.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
cultbooking_xss.txtTXT
Disclosure Timeline
16.01.2011Vulnerability discovered.
16.01.2011Initial contact with the vendor.
20.01.2011No response from vendor.
22.01.2011Public advisory released.
07.02.2011Vendor releases version 2.0.5 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/16028/
[2]http://www.exploit-db.com/ghdb/3677/
[3]http://secunia.com/advisories/43036/
[4]http://www.securityfocus.com/bid/45965
[5]http://securityreason.com/exploitalert/9871
[6]http://securityreason.com/exploitalert/9876
[7]http://packetstormsecurity.org/files/97804
[8]http://osvdb.org/show/osvdb/70631
[9]http://xforce.iss.net/xforce/xfdb/64854
Changelog
22.01.2011Initial release
24.01.2011Added reference [3] and [4]
25.01.2011Added reference [5], [6] and [7]
26.01.2011Added reference [8]
27.01.2011Added reference [9]
07.02.2011Updated vendor status