Exploit/Advisories no image

Published on July 5th, 2023 📆 | 2677 Views ⚑

0

ApPHP MicroCMS 1.0.1 Host Header Injection – Torchsec


iSpeech

====================================================================================================================================
| # Title : ApPHP MicroCMS v1.0.1 Host header attack Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) |
| # Vendor : http://www.apphp.com/php-microcms/ |
| # Dork : ApPHP MicroCMS © ApPHP Admin Login |
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine

[+] Vulnerability description :

An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.
Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP).
Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: ...and append secret keys and tokens to links containing it:
(Django, Gallery, others)
....and even directly import scripts from it:

[+] This vulnerability affects : /phpmicrocms/index.php.

[+] Attack details :





Host header evilhostK8kAwlbV.com was reflected inside a A tag (href attribute).

[+] The impact of this vulnerability :

An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways.

[+] How to fix this vulnerability :

The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information.

====Greetings to :=========================================================================================================================
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |
===========================================================================================================================================

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑