Bookea-tu-Mesa is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious scripts that execute within the context of a user's session.
Steps to Reproduce:
- Go to http://localhost/Bookea-tu-Mesa/index.php
- Enter "<script>alert('XSS');</script>" in the Full Name and submit.
- The script executes, demonstrating the XSS vulnerability.
Vulnerable Code: File: insert_reservation.php Line 11: $Fname = mysqli_real_escape_string($conex, $_POST['Fname']);
Suggested Fix: $Fname = htmlspecialchars(mysqli_real_escape_string($conex, $_POST['Fname']), ENT_QUOTES, 'UTF-8');
This would sanitize the HTML character.
Authors:
Patrick Dean Ramos
Nathu Nandwani
Junnair Manla
Kevin Rosales
Steve Nyan
Shanavas Shakeer
Lani Lambert