Multiple Vulnerabilities in PHP Jabbers Scripts

BCK Security Inc
4 min readAug 1, 2023

--

Today, I want to share some vulnerabilities discovered through a recent collaborative security research project. This was done through a local group called the Atlantic CyberSecurity Collective.

Our team, consisting of a diverse and talented group of researchers, has conducted an extensive security review on the PHPJabbers collection of scripts, and during our research, we came across some significant security vulnerabilities. It’s worth mentioning that these vulnerabilities, if exploited, could potentially pose serious threats to user data and the overall integrity of these products. We submitted our findings to MITRE, a globally recognized cybersecurity standards organization. Consequently, these vulnerabilities were validated and assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:

  • CVE-2023–36132 Availability Booking v5.0
  • CVE-2023–36133 Availability Booking v5.0
  • CVE-2023–36131 Availability Booking v5.0
  • CVE-2023–34869 Catering System v1.0
  • CVE-2023–33562 Time Slots Booking Calendar v. 3.3
  • CVE-2023–33563 Time Slots Booking Calendar v. 3.3
  • CVE-2023–33564 Time Slots Booking Calendar v. 3.3
  • CVE-2023–33561 Time Slots Booking Calendar v. 3.3
  • CVE-2023–33560 Time Slots Booking Calendar v. 3.3
  • CVE-2023–36135 Class scheduling System v. 1.0
  • CVE-2023–36134 Class scheduling System v. 1.0
  • CVE-2023–36137 Class scheduling System v. 1.0
  • CVE-2023–36141 Cleaning Business Software v 1.0
  • CVE-2023–36139 Cleaning Business Software v 1.0
  • CVE-2023–36138 Cleaning Business Software v 1.0
  • CVE-2023–36127 Appointment Scheduler — 3.0
  • CVE-2023–36126 Appointment Scheduler — 3.0

Note that we are all professionals with full time jobs and other responsibilities. With the sheer amount of products in the PHP Jabbers lineup and limited time available, we weren’t able to assess every single product. There is a lot of code reuse in those applications, so it would be safe to assume most vulnerabilities are present in other products.

Members of the research group conducted some additional research in PHP Jabbers products and found vulnerabilities which aren’t addressed in this disclosure.

We informed the PHP Jabbers team through their online forms, but were completely ignored. Each of our attempts at communicating these vulnerabilities was met with silence and an almost instantaneous “closed” status to our submitted tickets.

Our intentions behind sharing this information aren’t to tarnish the vendor’s reputation or stir up panic among its user base. Instead, we aim to encourage proactive and transparent collaboration within the cybersecurity community. It’s crucial to remember that we all share the same goal — enhancing the overall security of products and fostering a safer digital world for users.

In the sections to follow, we will delve into each of the identified vulnerabilities:

#1: Username enumeration through “Forgot Password”

(CVE-2023–36132, CVE-2023–33562, CVE-2023–36135, CVE-2023–36141, CVE-2023–36127)

Click on Forgot Password, put in a random email address, and click “Send Password Reminder”. The system will inform you that the user does not exist. This allows us to know if a user is present or not:

#2: Authenticated Account Takeover through Username/Password change.

(CVE-2023–36133, CVE-2023–33563, CVE-2023–36134, CVE-2023–36139)

Log in using the credentials provided. Click on Profile in the upper right corner. Change the email or password. The system won’t give you a security challenge. This allows anyone that has gained access to an account either through social engineering, stealing tokens, or simply accessing a computer where someone didn’t log in and completely take over the account. Since the email address is the username, the original owner has no way of recovering the account.

#3: Reflected XSS in Theme Parameter of preview.php

(CVE-2023–33564, CVE-2023–36137, CVE-2023–36138, CVE-2023–36126)

Click on “Preview” in the left hand menu. Choose a Theme and click on “Open in new window”

Change the “theme” parameter value to: theme10dnel8%22%3e%3cscript%3ealert(42)%3c%2fscript%3eko0so

#4: Reflected XSS in cid Parameter of preview.php

(CVE-2023–33560)

Same as above, but change the cid parameter value to :
r5wx9%22%3e%3cscript%3ealert(42)%3c%2fscript%3edv7zh

#5: Reflected XSS in index of availability calendar (unauthenticated)

(CVE-2023–34869)

/index.php/hhax8"><script>alert(1)</script>bj1ovglnp21?controller=pjAdmin&action=pjActionLogin

#6 Improper input validation of password parameter

(CVE-2023–36131, CVE-2023–33561)

A user can intercept the HTTP request and bypass password complexity, which can result in an insecure password containing only 1 character.

--

--

BCK Security Inc
BCK Security Inc

Written by BCK Security Inc

Julien Richard — CISSP | OSCP | CRTP | CRISC | CISA | CCSP | Pentest+ | CEH | GCP-CDL

No responses yet