We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

SSRF Blind in the image upload module via url in instantsoft/icms2

Valid

Reported on

Aug 10th 2023

Description

Web application with the function of uploading images through a link provided by the user . This access error leads to RCE and scanning of intranet ports

Proof of Concept

Link video Poc https://drive.google.com/file/d/17fksa8odZAqCuqRQbOCutc9I7eoN_un-/view?usp=sharing

Steps

1 . Use a service like burp collaborator to observer incoming requests.

2 . Go to the add news function, in the image section there is a button for the user to provide the image link

3 . Provide the url using the Burp Collaborator server's domain name to request the web app to access

4 . Observe incoming DNS and HTTP requests. and see that there is a request from the linux server sent to the Burp Collaborator server

5 . Video poc conducted an internal port scan to see what ports are open based on response time

Impact

The SSRF vulnerability can be used to potentially compromise internal services that are exposed to internal network requests. Unfortunately, HTTP responses are not returned, but an attacker can still gather information about open ports and perform blind HTTP GET requests against internal services, potentially help in finding more severe vulnerabilities on internal network services.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago
instantsoft/icms2 maintainer
a month ago

Maintainer

Hello, Thank you for participating!

This:

curl_setopt($curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);

if (preg_match('#^(?:(?:https?):\/\/)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*#ui', $url)) {
    return null;
}

Will it solve the problem?

instantsoft/icms2 maintainer modified the Severity from Critical (10) to Medium (6.4) a month ago
instantsoft/icms2 maintainer gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Trunggg02
a month ago

Researcher

You need to review the severity of this vulnerability . It can scan local network ports as well as other ip solutions through request response time . Watch the video Poc

Trunggg02
a month ago

Researcher

https://hackerone.com/reports/1960765 Here is a report showing the impact of ssrf

instantsoft/icms2 maintainer
a month ago

Maintainer

We watched the video. As a solution, we suggest to forbid CURL all protocols except HTTP and HTTPS, and also do not allow ip addresses in urls. So we ask, will this solution close the problem?

Trunggg02
a month ago

Researcher

The problem is that your web application still allows access to a server that the attacker controls and still allows the use of protocols other than HTTP and HTTPS.

instantsoft/icms2 maintainer
a month ago

Maintainer

We did not fix this issue in the demo. First of all, we make edits on the github.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
instantsoft/icms2 maintainer validated this vulnerability a month ago
Trunggg02 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Trunggg02
a month ago

Researcher

Can you please specify a CVE for this vulnerability ?

instantsoft/icms2 maintainer
a month ago

Maintainer

Yes, I will, after I mark it as resolved.

instantsoft/icms2 maintainer marked this as fixed in 2.16.1 with commit a6bf75 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Aug 31st 2023
Trunggg02
a month ago

Researcher

HI , Can you please specify a CVE for the vulnerability in this report? https://huntr.dev/bounties/4a54134d-df1f-43d4-9b14-45f023cd654a/

instantsoft/icms2 maintainer published this vulnerability 22 days ago
to join this conversation