[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

K2 smartforms runtime application - 4.6.11 SSRF

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: K2 smartforms runtime application - 4.6.11 SSRF
From: fuming22@xxxxxxxxx
Date: Tue, 22 May 2018 15:05:24 GMT

# Vulnerability type: Server Side Request Forgery
# Vendor: https://www.k2.com/
# Product: K2 Smartforms
# Affected version: 4.6.11
# Credit: Foo Jong Meng
# CVE ID: CVE-2018-9920

# DESCRIPTION:

Server side request forgery exists in the runtime application in K2 smartforms 
4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL.

By replacing the "GET" parameter to any external domain (i.e. 
https://www.external-domain.com) while accessing the affected application (e.g.
https://url/Identity/STS/Forms/Scripts). 

The resulting page shows URL with https://url/Identity/STS/Forms/Scripts but 
rendering https://www.external-domain.com in the body (aka local web 
defacement). 

A port scan on the internal servers can be performed by changing the "GET" 
parameter URL and analysing the results of the return page.


# PROOF OF CONCEPT:
1. Use a web proxy (i.e zapproxy, burp) to intercept "GET" request for:
https://url/Identity/STS/Forms/Scripts

2. Replace the "GET" parameter to any external domain (i.e. 
https://www.external-domain.com/)

3. The resulting page is one with https://url/Identity/STS/Forms/Scripts but 
showing https://www.external-domain.com/ in the body.

Prev by Date: [slackware-security] Slackware 14.2 kernel (SSA:2018-142-01)
Next by Date: [slackware-security] procps-ng (SSA:2018-142-03)
Previous by thread: [slackware-security] Slackware 14.2 kernel (SSA:2018-142-01)
Next by thread: [slackware-security] procps-ng (SSA:2018-142-03)
Index(es):
- Date
- Thread