Description: SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.
Impact on the server:
Abuse the trust relationship between the vulnerable server and others.
Bypass IP whitelisting.
Bypass host-based authentication services.
Read resources which are not accessible to the public, such as trace.axd in ASP.NET or metadata APIs in an AWS environment.
Scan the internal network to which the server is connected to.
Read files from the web server.
View Status Pages and interact with APIs as the web server.
Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.
Thank you for reporting this bug. Rhymix is a fork of a 11-year-old CMS that we're desperately trying to modernize. We will share any security issues with upstream as well.
Here is the crafted code to reproduces the SSRF via SVG file upload.
Save this code as .svg file and upload to the CMS
Run the netcat server by running the command "nc -nvlp 1234".
Visit the link of the uploaded SVG file.
Check netcat server, here you will see the requests.
Note: -
Rhymix CMS should be hosted on your local server.
If you are trying to reproduce the vulnerability on the live server then you need to run netcat server on the publically available system and change the xlink:href="http://127.0.0.1:1234" to the xlink:href="http://Your_publically_Accessible_IP:1234" in the SVG file.
Affected software: Rhymix CMS 1.9.8.1
Type of vulnerability: SSRF via SVG file upload.
Description:
Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Subodh Kumar
Description: SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.
Impact on the server:
Abuse the trust relationship between the vulnerable server and others.
Bypass IP whitelisting.
Bypass host-based authentication services.
Read resources which are not accessible to the public, such as trace.axd in ASP.NET or metadata APIs in an AWS environment.
Scan the internal network to which the server is connected to.
Read files from the web server.
View Status Pages and interact with APIs as the web server.
Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.
Remediation: Your script should properly sanitize user input.
https://www.owasp.org/index.php/Unrestricted_File_Upload
Here is the crafted code for SSRF. Save this code as .svg file i.e. SSRF.svg
Steps to reproduce the vulnerability:
login site as admin.
Open URL http://127.0.0.33/rhymix-master/index.php?module=admin&act=dispModuleAdminFileBox
Upload SVG file with crafted SSRF code (See image upload.png).

Start netcat listener using the command "nc -nvlp 1234" (See image netcatlistner.png).

Open uploaded the file.
Check netcat listener (See image ncrequest.png).

The text was updated successfully, but these errors were encountered: