CVE-2022-4251 - Understanding the XSS Vulnerability in Movie Ticket Booking System (VDB-214628)

In recent years, web vulnerabilities have become an everyday concern for developers and website owners. One such vulnerability, CVE-2022-4251, was discovered in the *Movie Ticket Booking System*. This issue is tracked as VDB-214628 in various vulnerability databases, and it revolves around a Cross Site Scripting (XSS) flaw in the file editBooking.php.

This post covers everything you need to know about this vulnerability: what it is, how it works, how an attacker might exploit it, and how you can protect yourself from similar problems.

What is CVE-2022-4251?

CVE-2022-4251 is a security vulnerability found in an online Movie Ticket Booking System, a web-based project commonly used for learning and developing ticketing solutions. The flaw allows remote attackers to perform a Cross Site Scripting (XSS) attack due to insufficient sanitization of user input in the editBooking.php file.

XSS allows attackers to inject malicious scripts into web pages viewed by other users. If successful, attackers can hijack user sessions, deface websites, or redirect victims to malicious sites.

Where is the Vulnerability?

The root cause of the issue is in the editBooking.php script. Specifically, the application does not properly sanitize input fields when editing booking records. For example, the "name" field may accept non-escaped HTML or JavaScript.

Vulnerable Code Snippet (editBooking.php)

<?php
// ... database connection and other code omitted for brevity

// Get booking data
$id = $_GET['id'];
$query = "SELECT * FROM bookings WHERE id='$id'";
$result = mysqli_query($conn, $query);
$row = mysqli_fetch_assoc($result);

// Render form with booking data
?>
<form action="editBooking.php" method="post">
  <input type="hidden" name="id" value="<?php echo $row['id']; ?>">
  <input type="text" name="name" value="<?php echo $row['name']; ?>"> <!-- VULNERABLE LINE -->
  <!-- more fields ... -->
  <input type="submit" value="Save">
</form>

Notice: The value of name is *echoed directly* into the HTML without sanitizing!

`html

Attacker submits or edits their booking, entering this payload into the "name" field.

3. When an admin or other user opens editBooking.php for this booking, the payload is executed in their browser, popping up an alert box (or doing something more damaging).

To test or exploit the vulnerability, an attacker could send the following HTTP POST request

POST /editBooking.php?id=123 HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded

name="><script>alert('XSS')</script>&other_field=...

Any HTML or JavaScript code inside the "name" field will be injected directly into the web page.

This vulnerability is publicly known and has a published exploit. References include

- Vuldb: VDB-214628
- CXSecurity Disclosure

> Note: This means that actual attackers may already have scripts or tools targeting any site running the affected Movie Ticket Booking System.

Risks and Impact

If exploited, attackers can:

Steal sensitive information like user credentials and booking details.

Any user who opens the poisoned page is at risk.

How to Fix

Sanitize user inputs and escape output. Update the editBooking.php file to properly encode HTML.

Replace

<input type="text" name="name" value="<?php echo $row['name']; ?>">

With

<input type="text" name="name" value="<?php echo htmlspecialchars($row['name'], ENT_QUOTES, 'UTF-8'); ?>">

This function will escape HTML special characters and prevent script injection.

Affected File: editBooking.php

- CVE: CVE-2022-4251 CVE Details
- Public Exploit: YES (Vuldb VDB-214628)

Always sanitize user input. Even small projects for learning or demonstration can become targets if left unpatched. Protect your users—and yourself—from security problems by reviewing and updating your code regularly.

Timeline

Published on: 12/01/2022 08:15:00 UTC
Last modified on: 12/05/2022 15:01:00 UTC