CVE-2011-5045

Step 1: Payload Delivery: The attacker crafts a malicious URL containing a JavaScript payload within the page_info_message parameter. For example: http://vulnerable-site/details_view.php?page_info_message=<script>alert('XSS')</script>. Step 2: Request Submission: The attacker sends this crafted URL to a victim, typically through phishing, social engineering, or by embedding it on a malicious website. Step 3: Server Processing: The vulnerable details_view.php script receives the request and retrieves the value of the page_info_message parameter. Step 4: Unsanitized Output: The script directly inserts the attacker-controlled page_info_message value, including the JavaScript payload, into the HTML response without any sanitization. Step 5: Browser Execution: The victim's web browser receives the HTML response, parses it, and executes the embedded JavaScript payload. This allows the attacker to perform actions on behalf of the victim, such as stealing cookies, redirecting the user, or defacing the website.

The vulnerability stems from a failure to properly sanitize user-supplied input before displaying it on the webpage. Specifically, the details_view.php script in PHP Booking Calendar 10e directly incorporates the page_info_message parameter into the HTML output without any form of input validation or output encoding. This allows an attacker to inject arbitrary HTML and JavaScript code into the page, which is then executed by the victim's browser. The root cause is a lack of HTML escaping or contextual output encoding when rendering the page_info_message parameter.