HotelDruid Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in HotelDruid versions through 3.0.7. The issue resides in the 'modifica_app.php' file, where user-supplied input for room image URLs is not properly sanitized before being displayed on the website. This vulnerability allows users with room editing privileges to inject malicious scripts that are executed when the image URL is accessed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the room image. Additionally, due to a weak password reset mechanism and missing CSRF protections, this XSS could lead to account takeover. The application also caches URLs containing the session ID, which can be exploited to steal session information.

Reproduction

To reproduce this vulnerability, log into HotelDruid as a user with room editing privileges. Navigate to the 'modifica_app.php' page and enter a payload into the room image URL input field. The payload must be crafted to include JavaScript code, appended with a valid image file extension, and comply with the application's input restrictions. Once the payload is submitted, it will be stored and executed when the image URL is accessed.

Remediation

Users are advised to update to HotelDruid version 3.0.8, which addresses this vulnerability.