Incomplete fix for SSRF in CVE-2023-4651 in instantsoft/icms2

Valid

Reported on

Sep 4th 2023

Description

The fix (commit a6bf758de0b3242b0c0e4b47a588aae0c94305b0) for CVE-2023-4651 is not complete. Only ip based URLs are blocked.

Proof of Concept

Clone the latest repo and install.

On server, listen for 1234 on localhost.

Use http://localhost:1234/ as URL for image upload.

Observe a hit on port 1234.

Impact

Port scanning as in https://huntr.dev/bounties/beba9b98-2a5c-4629-987d-b67f47ba9437/

Other impact depending on internal service may also be possible.

Occurrences

uploader.php L349

Here the check is only performed for ip based URLs.

However, the attacker can use a domain that resolves to private ip address. In the example above, localhost is used. But other domains can also be used, like localtest.me

To properly implement this, you would need to get the resolved ip address of the URL provided then block access to reserved addresses.

References

https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 17 days ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 16 days ago

Fuze validated this vulnerability 13 days ago

asesidaa has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Fuze marked this as fixed in 2.16.1-git with commit d0aeea 11 days ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

Fuze published this vulnerability 11 days ago

uploader.php#L349 has been validated

to join this conversation