You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Excuse me, but I don't see any area where to report security issues, given the history of other users, I will put it here, but it would be highly advisable that you quickly fix the vulnerability and/or put this issues in private format until corrected.
Description
The current version of SLiMS 9.6.0 presents a high/critical vulnerability, since it allows an authenticated user with access to the "scrape_image.php" file to send requests to internal services or load the content of very relevant internal files (system files, configuration files, backup, SSH keys, etc...) over the "imageURL" parameter.
Proof of Concept:
The following illustration shows how the malicious user can manage to load the contents of the "index.html" file of the internal web server on port 80 (port not exposed externally), showing that the attacker would not only manage to find out internal services, but could extract the information in image format encoded in base64.
In addition, this can allow to reach relevant files of the website, in this case it has been used to extract a backup of the site's database.
Finally, the vulnerability has been used to reach an internal file of the machine, this could be used to reach other files where SSH credentials or keys are exposed, gaining illegitimate access to the server and compromising the machine.
Expected behavior
The application should only load files with image format (png, gif, jpg, etc...) and from a specific path of the application, preventing the path to be altered arbitrarily and from the client side.
In addition, it should be prevented from loading to internal paths or external servers not allowed by the application and/or organization, thus preventing it from being possible to identify and reach internal resources or reach malicious external sources to load malicious code.
Best regards,
The text was updated successfully, but these errors were encountered:
Hi,
Excuse me, but I don't see any area where to report security issues, given the history of other users, I will put it here, but it would be highly advisable that you quickly fix the vulnerability and/or put this issues in private format until corrected.
Description
The current version of SLiMS 9.6.0 presents a high/critical vulnerability, since it allows an authenticated user with access to the "scrape_image.php" file to send requests to internal services or load the content of very relevant internal files (system files, configuration files, backup, SSH keys, etc...) over the "imageURL" parameter.
Proof of Concept:
The following illustration shows how the malicious user can manage to load the contents of the "index.html" file of the internal web server on port 80 (port not exposed externally), showing that the attacker would not only manage to find out internal services, but could extract the information in image format encoded in base64.
In addition, this can allow to reach relevant files of the website, in this case it has been used to extract a backup of the site's database.
![SLiMS 9 6 0 - ssrf - 4](https://private-user-images.githubusercontent.com/54067582/251807727-cfbb8499-aae5-4dc9-a674-6f5ab449db89.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTgyNjMsIm5iZiI6MTcxOTc1Nzk2MywicGF0aCI6Ii81NDA2NzU4Mi8yNTE4MDc3MjctY2ZiYjg0OTktYWFlNS00ZGM5LWE2NzQtNmY1YWI0NDlkYjg5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MzAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjMwVDE0MzI0M1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTZhNTI1NGEzMTc4MDU2YTgwOGJjNDU5Y2NkNDFlYjBmZWVlYWM1MjE5NGY0M2YxZDU0ODY0ZGI4NWUyZjNlMjYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.1NnxpIdkF7rwHDFv8_Ga5k0Q7Oljrmn1WSce8Zx_6V8)
Finally, the vulnerability has been used to reach an internal file of the machine, this could be used to reach other files where SSH credentials or keys are exposed, gaining illegitimate access to the server and compromising the machine.
Expected behavior
The application should only load files with image format (png, gif, jpg, etc...) and from a specific path of the application, preventing the path to be altered arbitrarily and from the client side.
In addition, it should be prevented from loading to internal paths or external servers not allowed by the application and/or organization, thus preventing it from being possible to identify and reach internal resources or reach malicious external sources to load malicious code.
Best regards,
The text was updated successfully, but these errors were encountered: