CVE-2017-17828

Vulnerability

Bus Booking Script (latest version as of the report) contains cross-site scripting (XSS) vulnerabilities in two locations. The results.php page reflects unsanitized user input through the datepicker GET parameter, allowing immediate execution of arbitrary HTML/JavaScript. The admin/new_master.php page stores unsanitized input from the spemail POST parameter in the application's database, leading to persistent XSS when that data is later rendered. No authentication is required for the reflected XSS; the stored XSS requires admin-level access to trigger but can be combined with CSRF to force an admin to inject the payload [1].

Exploitation

For reflected XSS, an attacker crafts a URL such as http://travelbookingscript.com/demo/newbusbooking/results.php?triptype=1&ter_from=123&tag=123&datepicker=08-01-2018123%27%22%3E%3Cimg%20src=x%20onerror=%22console.log(document.cookie)%22%3E and tricks a victim into clicking it. No prior authentication or special position is needed. For stored XSS, the attacker submits a POST request to admin/new_master.php with spemail containing payloads like test@gmail.com'>. Since the endpoint lacks CSRF protection, the attacker can combine this with a CSRF attack (e.g., an auto-submitting form) to force an authenticated admin to execute the stored XSS injection [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. For reflected XSS, this can lead to session theft, cookie exfiltration, or redirection to malicious sites. For stored XSS, the injected payload persists and executes for any admin viewing the affected page, potentially enabling account takeover, credential theft, or further administrative actions. The impact is constrained to the browser session and the user's privileges; in the stored case, the attacker gains the privileges of the admin who views the injected data [1].

Mitigation

As of the publication date (2017-12-21), no official patch or fixed version has been released. The vendor has not acknowledged the issue publicly in the provided references. Users of Bus Booking Script should apply input validation and output encoding to the datepicker and spemail parameters, implement CSRF tokens on admin forms, and consider upgrading to an alternative booking script if vendor support is absent. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].