CVE-2014-9301

Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

Recent assessments:

theguly at March 11, 2020 3:11pm UTC reported:

despite the age of this vuln, we still find vulnerable Alfresco, therefore it’s worth a quick assessment to me.

having tried to exploit /proxy?endpoint i think there is no known way to execute a “useful” attack.

endpoint parameter can be abused to only do GET, so to achieve a write against an internal endpoint you should first have to find something that accepts modification using GET. possible, but uncommon.
HTML for the requested endpoint will be sent back to the attacker, and this could be a useful information, but mostly info disclosure. again depends on what’s in internal network, still possible but uncommon to find really juicy stuff.

plus, if my skills in reading java code are good enough, a quick code review in source code revealed that just http and https protocols are supported by calling Classe. no file:// or something can be used to achieve, say, LFI.

still useful to map internal network or dirty other servers’ log, and to collect information, but this vuln has a quite limited value to me.

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5