CVE-2024-42762
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Kashipara Bus Ticket Reservation System v1.0 allows attackers to inject malicious scripts into the Name, Phone, and Email fields in the history.php page. These scripts execute when legitimate users view the affected page, potentially compromising their sessions or stealing credentials. This affects all deployments of version 1.0 that expose the booking system to untrusted users.
💻 Affected Systems
- Kashipara Bus Ticket Reservation System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over administrative accounts, manipulate booking data, deface the website, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers will steal user session cookies, perform actions as authenticated users, capture sensitive information from booking forms, or redirect users to phishing pages.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires the ability to submit booking data (typically requires customer registration), but the technical complexity of the XSS injection is minimal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.kashipara.com/
Restart Required: No
Instructions:
No official patch available. Contact Kashipara for updated version information and apply any available security updates.
🔧 Temporary Workarounds
Implement Input Validation and Output Encoding
allAdd server-side validation to sanitize Name, Phone, and Email parameters in history.php, and implement proper output encoding when displaying user-supplied data.
Modify history.php to include: htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8'); for all user-controlled parameters
Apply Content Security Policy (CSP)
allImplement a strict Content Security Policy header to prevent execution of inline scripts and restrict script sources.
Add to web server config or PHP header: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict access to the booking system to trusted users only using network segmentation or authentication requirements
- Implement a web application firewall (WAF) with XSS protection rules to filter malicious payloads
🔍 How to Verify
Check if Vulnerable:
Test by submitting booking data with XSS payloads in Name, Phone, or Email fields (e.g., <script>alert('XSS')</script>) and check if script executes when viewing history.phpCheck Version:
Check the system documentation or contact Kashipara support to confirm versionVerify Fix Applied:
After implementing fixes, repeat the XSS test payloads and verify they are properly sanitized and displayed as text rather than executing📡 Detection & Monitoring
Log Indicators:
- Unusual characters in booking form submissions (<, >, script, javascript, etc.)
- Multiple failed booking attempts with suspicious payloads
Network Indicators:
- HTTP requests containing XSS payload patterns in POST data to history.php
SIEM Query:
source="web_logs" AND (uri="/history.php" OR uri LIKE "%/history.php%") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%" OR request_body LIKE "%onerror=%")