## Title: Limo Booking Software v1.0 - CORS ## Author: nu11secur1ty ## Date: 09/08/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin http://wioydcbiourl.com Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. The attacker can get some of the software resources of the victim without the victim knowing this. STATUS: HIGH Vulnerability [+]Test Payload: ``` GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795 HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36 Connection: close Cache-Control: max-age=0 Origin: http://wioydcbiourl.com Referer: http://demo.phpjabbers.com/ Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html) ## Time spent: 00:35:00