An open-source multiple hotels booking system known as GZ Scripts has been found to be vulnerable to reflected-XSS (Cross-Site Scripting).
The system which provides a powerful solution to allow users of the system, in managing their multiple bookings of hotels, was designed to allow two types of access level; The Super Admin, and Hotel Owner (Agent).
Image source: fixitgearware.
The software which is the GZ multiple Hotel Booking system (v1.8), is vulnerable to RXSS. This allows a malicious attacker to manipulate the content of the website.
When a victim is sent a well-crafted malicious link by an attacker, via an email or any messaging platform, the attacker will be able to perform various malicious intents which is stealing the victims’ sessions token, or login credentials (such as usernames and passwords).
The GET ‘adult’ request:
The GET ‘adult’ request which is vulnerable to RXSS (Reflected-Cross-Site-Scripting), shows an attacker encoding a malicious link, which contains the RXSS hidden in it.
The Encoded Link:
The Decoded Link:
The GET ‘children’ request:
The GET ‘children’ request which is vulnerable to RXSS, shows an attacker encoding a malicious link, which contains the RXSS hidden in it.
The Encoded Link:
The Decoded Link:
The GET ‘cal_id’ request:
The GET ‘cal_id’ request which is vulnerable to RXSS, shows an attacker encoding a malicious link, which contains the RXSS hidden in it.
The Encoded Link:
The Decoded Link:
As at the moment this vulnerability was discovered, there hasn’t been any security update or patch, for websites running GZ Scripts on their booking system.
Credits goes to:
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09
Put your comments below in the comment section on your thoughts about this.