Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-23752 Joomla! Webservice - Users,Passwords information disclosure #179

Merged
merged 3 commits into from
Feb 29, 2024
Merged

CVE-2023-23752 Joomla! Webservice - Users,Passwords information disclosure #179

merged 3 commits into from
Feb 29, 2024

Conversation

opcod3r
Copy link
Contributor

@opcod3r opcod3r commented Feb 10, 2024

BCheck Contributions

  • BCheck compiles and executes as expected
  • BCheck contains appropriate metadata (name, version, author, description and appropriate tags)
  • Only .bcheck files have been added or modified
  • BCheck is in the appropriate folder
  • PR contains single or limited number of BChecks (Multiple PRs are preferred)
  • BCheck attempts to minimize false positives
  • The following image illustrates the working poc:
    bcheck_portswigger_burp

Sniperax added 2 commits February 10, 2024 10:09
CVE-2023-23752
2f3c539 
in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
add references
64091f1
@PortSwiggerWiener
Copy link
Collaborator

Many thanks for your submission. It looks good. We just need to fix up that predicate I think.

@opcod3r
Copy link
Contributor Author

opcod3r commented Feb 11, 2024

Many thanks for your submission. It looks good. We just need to fix up that predicate I think.

Thanks!

How can i do that ? could you help me ? with this ?

@PortSwiggerWiener
Copy link
Collaborator

Absolutely! So if you attempt to validate your BCheck within Burp then you should see a syntax error from this line:

if {check2.response.status_code} is "200" and "\"type\":\"application\"" and "\"password\":" in {check2.response.body} then

The reason for this is the first and clause is incomplete and needs a 'subject'. So if you want to check the response body from check2, then you could write:

if {check2.response.status_code} is "200" and "\"type\":\"application\"" in {check2.response.body} and "\"password\":" in {check2.response.body} then

I'm not entirely sure of your BCheck detection logic though so you make need to modify this.

Hope that helps!

@Hannah-PortSwigger
Copy link
Contributor

Hi there!

Have you had a chance to review the feedback given?

Unfortunately, without this feedback implemented, we are not able to merge this pull request into the main repository.

If there's anything that we can help with, then please let us know.

ps-porpoise
ps-porpoise approved these changes Feb 29, 2024
View reviewed changes
Copy link
Contributor

@ps-porpoise ps-porpoise left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

PortSwiggerWiener
PortSwiggerWiener approved these changes Feb 29, 2024
View reviewed changes
Copy link
Collaborator

@PortSwiggerWiener PortSwiggerWiener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

@PortSwiggerWiener PortSwiggerWiener merged commit a393f69 into PortSwigger:main Feb 29, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PortSwiggerWiener PortSwiggerWiener PortSwiggerWiener approved these changes

@ps-porpoise ps-porpoise ps-porpoise approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@opcod3r @PortSwiggerWiener @Hannah-PortSwigger @ps-porpoise