lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201805221505.w4MF5OxC017801@ip-100-122-159-248.us-east-1.ec2.aws.symcpe.net> Date: Tue, 22 May 2018 15:05:24 GMT From: fuming22@...il.com To: bugtraq@...urityfocus.com Subject: K2 smartforms runtime application - 4.6.11 SSRF # Vulnerability type: Server Side Request Forgery # Vendor: https://www.k2.com/ # Product: K2 Smartforms # Affected version: 4.6.11 # Credit: Foo Jong Meng # CVE ID: CVE-2018-9920 # DESCRIPTION: Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL. By replacing the "GET" parameter to any external domain (i.e. https://www.external-domain.com) while accessing the affected application (e.g. https://url/Identity/STS/Forms/Scripts). The resulting page shows URL with https://url/Identity/STS/Forms/Scripts but rendering https://www.external-domain.com in the body (aka local web defacement). A port scan on the internal servers can be performed by changing the "GET" parameter URL and analysing the results of the return page. # PROOF OF CONCEPT: 1. Use a web proxy (i.e zapproxy, burp) to intercept "GET" request for: https://url/Identity/STS/Forms/Scripts 2. Replace the "GET" parameter to any external domain (i.e. https://www.external-domain.com/) 3. The resulting page is one with https://url/Identity/STS/Forms/Scripts but showing https://www.external-domain.com/ in the body.
Powered by blists - more mailing lists