AOH :: HP Unsorted A :: TB13193.HTM

Airkiosk/formlib application is XSS vuln



Airkiosk/formlib application is XSS vuln
Airkiosk/formlib application is XSS vuln



In the last week I've found a XSS vuln into the Sutra's Airkiosk
application for the realtime distribution of flights/booking and
check-in interface (www.airkiosk.com).

The XSS is possible because they are using a VULN/OLD formlib.pl in
their application that permits to execute any JavaScript you like:

            &HtmlError("formlib.parse", "bjelli", "Error parsing $_, aborting.\n");

if you get the error 'f you need help, call bjelli.'.


I suppose it can be related to this flying companies (I've only tryed it
on Blu-express, and Jet2.com):

Aero, Jet2.com, Air southwest, manx2, airsea, republicaairways,
blu-express, highland airways, blueisland, tobagoexpress, evolavia,
zambian, menajet.com, snowflake, airwales and other that is can be easy
found by searching on google.




The maintainer (and the flying company blu-express) has been contacted
twice via mail in the last two weeks but choose not to respond at all.

Regards
Skien

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.