Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLiMS 9.6.0 - Server-Side Request Forguery (SSRF) & Local File Inclusion (LFI) #194

Closed
m3n0sd0n4ld opened this issue Jul 7, 2023 · 2 comments
Closed

SLiMS 9.6.0 - Server-Side Request Forguery (SSRF) & Local File Inclusion (LFI) #194

m3n0sd0n4ld opened this issue Jul 7, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@m3n0sd0n4ld
Copy link

Hi,

Excuse me, but I don't see any area where to report security issues, given the history of other users, I will put it here, but it would be highly advisable that you quickly fix the vulnerability and/or put this issues in private format until corrected.

Description
The current version of SLiMS 9.6.0 presents a high/critical vulnerability, since it allows an authenticated user with access to the "scrape_image.php" file to send requests to internal services or load the content of very relevant internal files (system files, configuration files, backup, SSH keys, etc...) over the "imageURL" parameter.

Proof of Concept:
The following illustration shows how the malicious user can manage to load the contents of the "index.html" file of the internal web server on port 80 (port not exposed externally), showing that the attacker would not only manage to find out internal services, but could extract the information in image format encoded in base64.

SLiMS 9 6 0 - ssrf - 2

In addition, this can allow to reach relevant files of the website, in this case it has been used to extract a backup of the site's database.
SLiMS 9 6 0 - ssrf - 4

Finally, the vulnerability has been used to reach an internal file of the machine, this could be used to reach other files where SSH credentials or keys are exposed, gaining illegitimate access to the server and compromising the machine.

SLiMS 9 6 0 - ssrf - 5

Expected behavior
The application should only load files with image format (png, gif, jpg, etc...) and from a specific path of the application, preventing the path to be altered arbitrarily and from the client side.

In addition, it should be prevented from loading to internal paths or external servers not allowed by the application and/or organization, thus preventing it from being possible to identify and reach internal resources or reach malicious external sources to load malicious code.

Best regards,
@m3n0sd0n4ld m3n0sd0n4ld added the bug Something isn't working label Jul 7, 2023
@m3n0sd0n4ld m3n0sd0n4ld changed the title Server-Side Request Forguery (SSRF) & Local File Inclusion (LFI) SLiMS 9.6.0 - Server-Side Request Forguery (SSRF) & Local File Inclusion (LFI) Jul 7, 2023
@drajathasan
Copy link
Collaborator

Thanks for your report. Will be fix ASAP.

drajathasan added a commit that referenced this issue Jul 11, 2023
@drajathasan
Fix SSRF and LFI vulnerability #194
1ae57be
@m3n0sd0n4ld
Copy link
Author

Hi,

From INCIBE, they indicate me the following identifier CVE-2023-3744 reserved for this vulnerability.

Best regards,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drajathasan @m3n0sd0n4ld