22 January, 2011

CultBooking Internet Booking Engine Multiple Vulnerabilities

Open source hotel booking system (Internet Booking Engine (IBE)). Via a central api called CultSwitch it is possible to make bookings and set the actual availabilities in the hotels pms. This is easy to install and easy to integrate with full support.

1. CultBooking suffers from a local file inlcusion/disclosure (LFI/FD) vulnerability when input passed thru the ‘lang’ parameter to cultbooking.php script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes. Conditional on ‘magic_quotes_gpc=off’.

2. CultBooking Hotel Booking System suffers from a XSS/PD vulnerability when parsing user input to the ‘bookingcode’, ‘email’ and ‘lang’ parameter via POST and GET methods in cultbooking.php script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

ZSL-2011-4987http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4987.php
ZSL-2011-4988http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4988.php


ref: http://zeroscience.mk/blog/01/2011/cultbooking-internet-booking-engine-multiple-vulnerabilities/

No comments: