Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

K2 Smartforms 4.6.11 Server-Side Request Forgery

🗓️ 22 May 2018 00:00:00Reported by Foo Jong MengType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 43 Views

K2 Smartforms 4.6.11 Server-Side Request Forgery Vulnerability via Modified Hostnam

Related
Code
ReporterTitlePublishedViews
Family
CNVD		K2 smartforms server-side request forgery vulnerability
25 May 201800:00
cnvd
CVE		CVE-2018-9920
24 May 201813:00
cve
Cvelist		CVE-2018-9920
24 May 201813:00
cvelist
EUVD		EUVD-2018-21512
7 Oct 202500:30
euvd
NVD		CVE-2018-9920
24 May 201813:29
nvd
Prion		Server side request forgery (ssrf)
24 May 201813:29
prion
`# Vulnerability type: Server Side Request Forgery  
# Vendor: https://www.k2.com/  
# Product: K2 Smartforms  
# Affected version: 4.6.11  
# Credit: Foo Jong Meng  
# CVE ID: CVE-2018-9920  
  
# DESCRIPTION:  
  
Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL.  
  
By replacing the "GET" parameter to any external domain (i.e. https://www.external-domain.com) while accessing the affected application (e.g.  
https://url/Identity/STS/Forms/Scripts).   
  
The resulting page shows URL with https://url/Identity/STS/Forms/Scripts but rendering https://www.external-domain.com in the body (aka local web defacement).   
  
A port scan on the internal servers can be performed by changing the "GET" parameter URL and analysing the results of the return page.  
  
  
# PROOF OF CONCEPT:  
1. Use a web proxy (i.e zapproxy, burp) to intercept "GET" request for:  
https://url/Identity/STS/Forms/Scripts  
  
2. Replace the "GET" parameter to any external domain (i.e. https://www.external-domain.com/)  
  
3. The resulting page is one with https://url/Identity/STS/Forms/Scripts but showing https://www.external-domain.com/ in the body.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 May 2018 00:00Current
1Low risk
Vulners AI Score1
EPSS0.00166
server side request forgeryk2 smartformsruntime applicationmodified hostnameexternal domainport scanweb proxy
43