Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)

Availability Booking Calendar v1.0: Multiple Cross-Site Scripting (XSS) Vulnerabilities Exploited

Security researchers have identified critical cross-site scripting (XSS) vulnerabilities in the Availability Booking Calendar v1.0 web application, a widely used PHP-based booking system. These flaws, reported by Andrey Stoykov in July 2023, enable attackers to inject malicious scripts into the application’s frontend, leading to potential session hijacking, data theft, and full client-side compromise. This article examines the two primary XSS vectors—unvalidated input in the Promo Code field and unrestricted SVG file uploads—and provides expert-level analysis, mitigation strategies, and real-world implications.

XSS Vulnerability #1: Unsanitized Promo Code Input

One of the most dangerous XSS vectors lies in the promo code field during booking editing. The application fails to properly sanitize user input before rendering it in the HTML form, allowing arbitrary JavaScript code to be executed in the browser.

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Content-Type: application/x-www-form-urlencoded

edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1

Here, the attacker submits a payload encoded as TEST"><script>alert(`XSS`)</script>. The server processes this input without filtering, and the resulting HTML response includes the malicious script directly in the value attribute of the input field:

Promo code:
alert(`XSS`)" title="Promo code" placeholder="">

When the user views this form, the browser interprets the <script> tag as executable code, triggering the alert('XSS') popup. This demonstrates a stored XSS vulnerability, where malicious content is persisted in the database and executed every time the form is rendered.

Why This Is Critical

• Client-side execution: The script runs in the context of the victim’s browser, giving attackers access to cookies, session tokens, and DOM manipulation.
• Attack persistence: Unlike reflected XSS, this payload remains in the system indefinitely, affecting all users who view the booking form.
• Chainable exploits: An attacker could inject a script that steals CSRF tokens or redirects users to phishing pages.

XSS Vulnerability #2: Unrestricted SVG File Upload

Another critical flaw arises from the image upload functionality in the My Account section. The application allows users to upload files with the image/svg+xml MIME type without proper validation, enabling execution of JavaScript within SVG files.

 
 
      alert(`XSS`);
   

When an attacker uploads this SVG file and opens it in a new browser tab, the <script> element is executed immediately, bypassing traditional file security measures.

Attack Vector Breakdown

This vulnerability exploits the fact that SVG files are not treated as executable by most browsers, but they do allow embedded scripts under specific conditions. The application’s lack of file type validation and content inspection enables malicious payloads to be stored and executed.

Attack Step	Description
1. Upload SVG	Submit a crafted SVG with embedded JavaScript.
2. Access via browser	Open the uploaded image in a new tab.
3. Execute script	Browser parses and runs the <script> tag.

Real-World Implications

Such vulnerabilities can lead to:

• Session hijacking: Malicious scripts can extract session cookies and send them to a remote server.
• Phishing: Redirect users to fake login pages using DOM manipulation.
• Defacement: Modify the website’s UI to display malicious content.
• Malware delivery: Use SVG to serve as a vector for more complex payloads.

Expert Mitigation Strategies

Security professionals recommend the following defenses:

1. Input Sanitization and Output Encoding

Always sanitize user input before rendering it in HTML. Use HTML entity encoding to prevent script injection:

// Incorrect: Direct rendering
value="TEST">alert(`XSS`)

// Correct: Encode special characters
value="TEST"><script>alert`XSS`</script>"

Apply htmlspecialchars() in PHP or similar functions in other languages to ensure that <, >, ", and & are rendered as safe entities.

2. File Upload Validation

Implement strict file type checks and content scanning:

• Whitelist file types: Only allow image/jpeg, image/png, and image/gif.
• Scan for script tags: Use regex or XML parsing to detect <script> or <iframe> in uploaded files.
• Disable scripting in SVG: Use a sandboxed rendering engine (e.g., libxml2 with strict parsing) to strip out script elements.

3. Content Security Policy (CSP)

Deploy a robust CSP header to prevent execution of inline scripts:

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none';

This policy blocks inline scripts, external scripts, and frames, significantly reducing the risk of XSS exploitation.

Conclusion

The Availability Booking Calendar v1.0 vulnerabilities highlight a recurring issue in web applications: inadequate input validation and lack of content security measures. Even simple fields like promo code or image uploads can become attack vectors if not properly secured. Developers must adopt a defense-in-depth strategy—combining input sanitization, file validation, and CSP—to protect users from malicious code injection.

For organizations using this software, immediate patching is essential. The vulnerabilities are not theoretical—they have been successfully exploited and can be used to compromise user sessions and data integrity.