Closed
Description
The bug
A Server Side Request Forgery exists in admin/modules/bibliography/marcsru.php and admin/modules/bibliography/z3950sru.php due to the class in lib/marc/XMLParser.inc.php
Reproduce
Steps to reproduce the behavior:
- Go to
http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/index.php?mod=bibliographythen go to copy cataloguing - choose between marc sru or 23950sru
- type in something what you want in the search bar
- set burpsuite intercept on
- change the
z3950_SRU_sourceormarc_SRU_sourceparameter value to some url that grab the traffic - forward the request
- or just visit
http://127.0.0.1:8008/slims9_bulian-9.4.2/admin/modules/bibliography/marcsru.php?keywords=aaaaaaaa&index=0&marc_SRU_source=URL_ENCODED_ENDPOINT_THAT_CAPTURE_HTTP_LIKE_HOOKBIN
Screenshots
Normal requests
Tampered and SSRF trigger(netcat)
Tampered and SSRF trigger(toptal.com)
Versions
- OS: MacOS Mojave 10.14.6
- Browser: Google Chrome | 103.0.5060.134 (Official Build) (x86_64)
- Slims Version: slims9_bulian-9.4.2


