Incomplete fix for SSRF in CVE-2023-4651 in instantsoft/icms2

Valid

Reported on

Sep 4th 2023


Description

The fix (commit a6bf758de0b3242b0c0e4b47a588aae0c94305b0) for CVE-2023-4651 is not complete. Only ip based URLs are blocked.

Proof of Concept

Clone the latest repo and install.

On server, listen for 1234 on localhost.

Use http://localhost:1234/ as URL for image upload.

Observe a hit on port 1234.

Impact

Port scanning as in https://huntr.dev/bounties/beba9b98-2a5c-4629-987d-b67f47ba9437/

Other impact depending on internal service may also be possible.

Occurrences

Here the check is only performed for ip based URLs.

However, the attacker can use a domain that resolves to private ip address. In the example above, localhost is used. But other domains can also be used, like localtest.me

To properly implement this, you would need to get the resolved ip address of the URL provided then block access to reserved addresses.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. 5 months ago
We have contacted a member of the instantsoft/icms2 team and are waiting to hear back 5 months ago
Fuze validated this vulnerability 5 months ago
asesidaa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fuze marked this as fixed in 2.16.1-git with commit d0aeea 5 months ago
Fuze has been awarded the fix bounty
This vulnerability has now been published 5 months ago
uploader.php#L349 has been validated
to join this conversation