Additional Vulnerabilities in PHP Jabbers Scripts

During my work with a local group called the Atlantic CyberSecurity Collective on a collaborative security research project in which we discovered multiple vulnerabilities as mentioned in the article Multiple Vulnerabilities in PHP Jabbers Scripts by BCK Security Inc, there was an additional vulnerability I discovered in 2 of the scripts.

If these vulnerabilities were exploited, they could potentially pose serious threats to user data and the overall integrity of these products. These findings were submitted MITRE, a globally recognized cybersecurity standards organization, validated and assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:

• CVE-2023–36136
• CVE-2023–36140

As with the other vulnerabilities discovered, the PHP Jabbers team was informed through their online forms, but were completely ignored. Each attempt at communicating these vulnerabilities was met with silence and an almost instantaneous “closed” status to our submitted tickets.

Disclosing a vulnerability is never an easy decision, but I firmly believe that it can spark positive change when done responsibly and transparently. My aim is not to shame or harm any vendor, but rather to foster a culture of proactive collaboration that strengthens the entire digital ecosystem. By working together, we can create a safer online world for everyone.

As said by BCK Security:

It’s crucial to remember that we all share the same goal — enhancing the overall security of products and fostering a safer digital world for users.

Vulnerability: Improper handling of stored passwords

Login to the admin panel with the provided credentials and then click on “Users” in the left menu. Click on the user listed and click the pencil to edit it. You will see that the password is presented in clear text to the admin.

To validate that this was not only due to being the logged in user, create a new user or 2 and you can see the same results.