edgarjrivera / bookea-tu-mesa Goto Github PK

We have discovered a SQL Injection vulnerability in Bookea-tu-Mesa. This vulnerability allows an attacker to inject malicious SQL statements which can manipulate or disclose data in the database.

Steps to Reproduce:

1. Go to http://localhost/Bookea-tu-Mesa/ReservationTable.php.
2. In the search field, type the following SQL injection payload: ''"+UNION+SELECT+VERSION(),NULL,NULL,NULL,NULL,NULL,NULL,NULL#'.
3. The query will show the database version, demonstrating the SQL injection vulnerability.

Vulnerable Code:
The vulnerability exists in insert_reservation.php at the following lines:

Line 40: $query = "SELECT * FROM reservaciones WHERE RestaurantName LIKE '%$search_query%' OR FullName LIKE '%$search_query%'";
Line 41: $result = $conex->query($query);
Line 87:$result->free();

Suggested Fix:
Use prepared statements with parameterized queries to prevent SQL injection. Here is the revised code:

// insert_reservation.php
$query = "SELECT * FROM reservaciones WHERE RestaurantName LIKE ? OR FullName LIKE ?";
$stmt = $conex->prepare($query);
$search_with_wildcards = '%' . $search_query . '%';
$stmt->bind_param('ss', $search_with_wildcards, $search_with_wildcards);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();

CVE Consideration:
I believe this issue warrants a CVE ID because it poses a significant security risk. I am willing to coordinate with you on the CVE submission process if you agree that this issue meets the criteria.

We have discovered a Stored Cross-Site Scripting (XSS) vulnerability in Bookea-tu-Mesa. This vulnerability allows an attacker to inject malicious scripts which are executed in the context of the user's session.

Steps to Reproduce:

1. Go to http://localhost/Bookea-tu-Mesa/index.php
2. Enter "<script>alert('XSS');</script>" in the Full Name and submit.
3. The script executes, demonstrating the XSS vulnerability.

Vulnerable Code:
File: insert_reservation.php
Line 11: $Fname = mysqli_real_escape_string($conex, $_POST['Fname']);

Suggested Fix:
$Fname = htmlspecialchars(mysqli_real_escape_string($conex, $_POST['Fname']), ENT_QUOTES, 'UTF-8');

This would sanitize the HTML character.
CVE Consideration: I believe this issue warrants a CVE ID because it poses a significant security risk. I am willing to coordinate with you on the CVE submission process if you agree that this issue meets the criteria.