CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in microweber/microweber

Valid

Reported on

Feb 17th 2022


Description

The Introduction of a New Line Character lets the attacker the stack trace at demo.microweber.org/ This Attack becomes more significant because of its Less complication.

The Stack trace discloses following information :

  1. Backend Response code.
  2. The Versions of Backend Laravel technology.
  3. The Routing Path

Proof of Concept

  1. Visit the following URL : https://demo.microweber.org/demo/api/logout?redirect_to=
  2. Now Add the CRLF payload to the parameter. It will look like this : https://demo.microweber.org/demo/api/logout?redirect_to=xyz%0d%0axyz

Impact

This vulnerability is capable of disclosing sensitive stack trace exposed by the back-end which will let the attacker escalate his/her attack vector.

I Hope you understand this issue and Fix it as soon as possible. Thank you.

Occurrences

I Don't have a complete Idea where this issue is actually occurring in the code link provided. But i'm guessing it should be a potential path for that vulnerability to occur.

We are processing your report and will contact the microweber team within 24 hours. 3 months ago
Yash K
3 months ago

Researcher


Hello, I Found another Path which Discloses more information regarding Stack Trace :

https://demo.microweber.org/demo/admin/view:modules/load_module:admin/action:profile As you can see the name "users" in the load_module: is changed to "admin" which discloses more information about the particular user. Thank you.

Peter Ivanov validated this vulnerability 3 months ago
Yash K has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on f0e338 3 months ago
Peter Ivanov has been awarded the fix bounty
Controller.php#L1-L21 has been validated
Peter Ivanov
3 months ago

Maintainer


the other issue is also fixed in this commit https://github.com/microweber/microweber/commit/a1667f11dca579105818bc5ee3f85230dfd45c5e

Bozhidar
3 months ago

Maintainer


fixed

to join this conversation