CVE-2017-17940

Vulnerability

PHP Scripts Mall Single Theater Booking is vulnerable to Cross-Site Scripting (XSS) through the title parameter in admin/sitesettings.php. The application does not properly sanitize user input, allowing an attacker to inject arbitrary HTML or JavaScript. Affected version is the latest available at the time of discovery (demo version). The vulnerability is triggered when the title parameter is processed and rendered without output encoding [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to admin/sitesettings.php with a malicious payload in the title parameter. For example, the value Ticket Booking'" <svg/onload=alert('xss')> demonstrates a proof-of-concept. The attacker does not need special network position if the target is accessible, but requires administrative access to the site settings page to trigger the stored XSS. Alternatively, CSRF can be combined to trick an authenticated admin into submitting the malicious request [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data. The stored XSS persists in the application settings, affecting any admin who visits the page [1].

Mitigation

As of the public report, no patch has been released by the vendor. Mitigation involves manually sanitizing the title parameter input, applying output encoding, and implementing Content Security Policy (CSP) headers. Until a fix is available, restricting access to the admin panel and using web application firewalls (WAF) may reduce risk [1].