- Posts: 3
- Thank you received: 0
Vulnerability Report:Unauthenticated LFI/SSRF via file_get_content() function
2 years 5 months ago #45
by Vishal Saini
Vulnerability Report:Unauthenticated LFI/SSRF via file_get_content() function was created by Vishal Saini
Description
Local File Inclusion is a web vulnerability that results from mistakes at the website or web application programmers’ end. A hacker can take advantage of this vulnerability to include malicious files which are then executed by the vulnerable website or web application.In an LFI vulnerability, the included file is already present on the local application server, targeted by the hacker. If successful, the attacker can read important files, access more sensitive information, or run arbitrary commands.
A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal.
Root Cause
The file at media/js/freeboard/plugins/datasources/getcontent/getcontent.php takes the input in URL parameter and passes it directly to file_get_content() which as a result causes this vulnerability allowing attacker to retrieve internal files (LFI), make requests to internal services via the server which leads to remote code execution on cloud instances via metadata retrieval (SSRF).
Severity: Critical
CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Steps to reproduce
Local File Inclusion is a web vulnerability that results from mistakes at the website or web application programmers’ end. A hacker can take advantage of this vulnerability to include malicious files which are then executed by the vulnerable website or web application.In an LFI vulnerability, the included file is already present on the local application server, targeted by the hacker. If successful, the attacker can read important files, access more sensitive information, or run arbitrary commands.
A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs. URLs can be manipulated, either by replacing them with new ones or by tampering with URL path traversal.
Root Cause
The file at media/js/freeboard/plugins/datasources/getcontent/getcontent.php takes the input in URL parameter and passes it directly to file_get_content() which as a result causes this vulnerability allowing attacker to retrieve internal files (LFI), make requests to internal services via the server which leads to remote code execution on cloud instances via metadata retrieval (SSRF).
Severity: Critical
CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Steps to reproduce
- Install Joomla 3 and install the JC Dashboards extension
- Once done visit the following URL in private window http://192.168.1.21/media/com_jcdashboards/js/freeboard/plugins/datasources/getcontent/getcontent.php?url=file:///etc/passwd
- Response will leak the passwd file of the server
Please Log in or Create an account to join the conversation.
2 years 5 months ago #47
by Vishal Saini
Replied by Vishal Saini on topic Vulnerability Report:Unauthenticated LFI/SSRF via file_get_content() function
Nice, Thanks and have a nice day ahead 
Please Log in or Create an account to join the conversation.