Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the update function of the app/admin/c/TemplateController.php file, which fails to validate the download_url parameter, causing a taint flow from the source $remote_url variable into the sink function fopen. This eventually leads to an SSRF vulnerability that can send a request to the URL specified by the download_url parameter.
Because the download_url parameter is not restricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows:
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: 2.2.5
Test with PHP 7.2
The vulnerable code is located in the
updatefunction of theapp/admin/c/TemplateController.phpfile, which fails to validate the download_url parameter, causing a taint flow from the source$remote_urlvariable into the sink functionfopen. This eventually leads to an SSRF vulnerability that can send a request to the URL specified by the download_url parameter.Because the download_url parameter is not restricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows:
You can also use the following curl command to verify the vulnerability
We can then see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered
The text was updated successfully, but these errors were encountered: