Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSRF via SVG file upload in Rhymix CMS 1.9.8.1 #1089

Closed
security-breachlock opened this issue Sep 16, 2018 · 3 comments
Closed

SSRF via SVG file upload in Rhymix CMS 1.9.8.1 #1089

security-breachlock opened this issue Sep 16, 2018 · 3 comments
Labels
bug 버그로 확인된 사항 patch available 패치 있음 표시 (bug와 함께 사용) security 보안취약점

Comments

@security-breachlock
Copy link

security-breachlock commented Sep 16, 2018

Affected software: Rhymix CMS 1.9.8.1

Type of vulnerability: SSRF via SVG file upload.

Description:

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Subodh Kumar

Description: SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.

Impact on the server:
Abuse the trust relationship between the vulnerable server and others.
Bypass IP whitelisting.
Bypass host-based authentication services.
Read resources which are not accessible to the public, such as trace.axd in ASP.NET or metadata APIs in an AWS environment.
Scan the internal network to which the server is connected to.
Read files from the web server.
View Status Pages and interact with APIs as the web server.
Retrieve sensitive information such as the IP address of a web server behind a reverse proxy.

Remediation: Your script should properly sanitize user input.
https://www.owasp.org/index.php/Unrestricted_File_Upload

Here is the crafted code for SSRF. Save this code as .svg file i.e. SSRF.svg

Steps to reproduce the vulnerability:

  1. login site as admin.

  2. Open URL http://127.0.0.33/rhymix-master/index.php?module=admin&act=dispModuleAdminFileBox

  3. Upload SVG file with crafted SSRF code (See image upload.png).
    upload

  4. Start netcat listener using the command "nc -nvlp 1234" (See image netcatlistner.png).
    netcatlistner

  5. Open uploaded the file.

  6. Check netcat listener (See image ncrequest.png).
    ncrequest

@kijin kijin added bug 버그로 확인된 사항 security 보안취약점 labels Sep 16, 2018
@kijin
Copy link
Member

kijin commented Sep 16, 2018

Thank you for reporting this bug. Rhymix is a fork of a 11-year-old CMS that we're desperately trying to modernize. We will share any security issues with upstream as well.

The SSRF.svg file you mentioned seems to have been lost by the Github markdown parser. Are you referring to some variation of the example at the following link?
https://gist.github.com/random-robbie/dbc7d80c75af03922df1343c45dfceec?short_path=bca6fc6

We will fix this shortly by disallowing any scheme other than data: in the xlink:href attribute of any tag in an uploaded SVG file,

kijin added a commit that referenced this issue Sep 16, 2018
@kijin kijin added the patch available 패치 있음 표시 (bug와 함께 사용) label Sep 18, 2018
@security-breachlock
Copy link
Author

Hi kijin,

Here is the crafted code to reproduces the SSRF via SVG file upload.

  1. Save this code as .svg file and upload to the CMS
  2. Run the netcat server by running the command "nc -nvlp 1234".
  3. Visit the link of the uploaded SVG file.
  4. Check netcat server, here you will see the requests.

Note: -

  1. Rhymix CMS should be hosted on your local server.
  2. If you are trying to reproduce the vulnerability on the live server then you need to run netcat server on the publically available system and change the xlink:href="http://127.0.0.1:1234" to the xlink:href="http://Your_publically_Accessible_IP:1234" in the SVG file.

Netcat for windows can be download from here - https://github.com/diegocr/netcat

Thanks

@kijin
Copy link
Member

kijin commented Oct 4, 2018

Fixed in 1.9.8.2

@kijin kijin closed this as completed Oct 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 버그로 확인된 사항 patch available 패치 있음 표시 (bug와 함께 사용) security 보안취약점
Projects
None yet
Development

No branches or pull requests

2 participants