CVE-2017-12812

Step 1: Payload Delivery: An attacker crafts a malicious payload, typically JavaScript code, designed to execute within the victim's browser. This payload is designed to be injected into the 'name' field of the reservation form. Step 2: Payload Injection: The attacker submits the crafted payload through the reservation form, entering it into the 'name' field. Step 3: Data Storage: The vulnerable application stores the attacker's input, including the malicious payload, in its database. Step 4: Data Retrieval and Display: When a user, such as an administrator or another legitimate user, views the reservation details (e.g., in the reservations tab), the application retrieves the stored data from the database. Step 5: XSS Execution: The application displays the reservation details, including the 'name' field. Because the input was not properly sanitized, the attacker's JavaScript payload is executed by the victim's web browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website.

The vulnerability stems from a lack of proper input validation and output encoding in the PHPJabbers Night Club Booking Software. Specifically, the software fails to sanitize user-supplied input provided through the 'name' parameter when creating a reservation. This allows an attacker to inject arbitrary HTML or JavaScript code. When the reservation details are later displayed, the injected code is executed by the victim's web browser, leading to XSS. The root cause is the absence of functions like htmlspecialchars() or similar output encoding mechanisms to prevent the browser from interpreting the injected code as legitimate HTML.