My institution recently ran a vulnerability test on a server running Booked v2.5.5 and reported some potential cross-site scripting (XSS) vulnerabilities (CWE-79). A user does not need to be logged in to encounter the vulnerabilities. I've tried to summarize the issue below:
Parameter: It has been detected by exploiting the parameter rid
Authentication: In order to detect this vulnerability, no authentication has been required.
Access Path: Here is the path followed by the scanner to reach the exploitable URL:
<button type="submit" name="login" class="button" tabindex="100" value="submit"><img
src="img/door-open-in.png"/> Log In </button>
<input type="hidden" name="resume" value="/Web/reservation.php?rid="><qss
<div style="clear:both;"> </div>
First Time User?
<a href="register.php" title="Create an Account" >Create an Account</a>
I've tried to highlight the issue in the output above; you'll note that the string "qss" was injected into the page request and is echoed back in the HTML on the page returned. The vulnerability was also identified with the sid parameter on the
/Web/view-schedule.php page and the rd parameter on the
/Web/view-schedule.php page. I can try to provide more detailed information if desired.
The generic solution offered by the vulnerability detection suite was:
Filter all data collected from the client including user-supplied content and
browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-
encoded to ensure the content is rendered as text instead of an HTML element or