Travel Website v1.0 - Multiple SQLi

Description

Travel Website v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-50862

The 'hotelIDHidden' parameter of the booking.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

<?php elseif($mode=="hotel"): ?>

<div class="col-sm-12 bookingHotel">

<?php

 $hotelID = $_POST["hotelIDHidden"];

 $hotelSQL = "SELECT * FROM `hotels` WHERE hotelID='$hotelID'";
 $hotelQuery = $conn->query($hotelSQL);

CVE-2023-50863

The 'hotelIDHidden' parameter of the generateReceipt.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-50864

The 'hotelId' parameter of the hotelDetails.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-50865

The 'city' parameter of the hotelSearch.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-50866

The 'username' parameter of the loginAction.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-50867

The 'username' parameter of the signupAction.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

Our security policy

We have reserved the IDs CVE-2023-50862, CVE-2023-50863, CVE-2023-50864, CVE-2023-50865, CVE-2023-50866 and CVE-2023-50867 to refer to these issues from now on.

Disclosure policy

System Information

• Version: Travel Website v1.0

• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://www.kashipara.com/