An attacker can trick the user into giving him remote system access via the PHP components. In Senayan Library Management System, it is possible to create a library, add an item to a library and edit the library details. Attackers can use this to give remote system access to the server via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
Server-Side Request Forgery (SSRF) occurs when an attacker tricks a user into performing an action that normally would require authentication (such as logging into a website or clicking a link). The action could be anything from changing an email address to purchasing a gift card to sending money to an attacker.
Some websites have been found to have SSRF vulnerabilities that allow attackers to obtain remote system access to the server. An attacker would only need to trick a user into clicking a link that takes them to a vulnerable website. It does not matter if the website is secured or not, as long as the user is sent to the website. After receiving the request from the user, the vulnerable website sends the information (the URL and the request) to the attacker. The attacker then has access to the vulnerable website’s server.
CVE-2022-38293
An attacker can gain remote system access by submitting a request with a malformed URI to the PHP components. In Senayan Library Management System, it is possible to create a library, add an item to a library and edit the library details. Attackers can use this to give remote system access to the server via the components /bibliography/marcsru.php and /bibliography/z3950sru.php.
Cross-Site Request Forgery (CSRF) occurs when an attacker tricks a user into performing an action on behalf of another user’s account without their knowledge or consent. The action could be anything from changing an email address to purchasing a gift card to sending money to an attacker. The attacker uses their own account on the vulnerable website which has been compromised and then sends requests back as if they were coming from another user's account. This is why CSRF is also known as a replay attack because it replays previously made requests back onto the vulnerable website.
Apache HTTP Server Software
Apache HTTP Server (commonly known as “Apache”) is an open-source web server. It is the most popular server software, and can be found on 80% of all websites.
Furthermore, Apache is widely used by organizations that want to provide their users with a web experience without having to configure it themselves.
The Apache HTTP Server contains various vulnerabilities that allow attackers to access remote system resources. To prevent these vulnerabilities from being exploited, you can use the following steps:
1. Ensure that a firewall is configured properly for the system running Apache 2. Update the Apache installation 3. Update all other installed software 4. Check for updates regularly 5. Install an intrusion detection system (IDS) or intrusion prevention system (IPS)
What are the factors that make websites vulnerable to SSRF?
The vulnerabilities that make websites vulnerable to SSRF occur at the front-end of the website. There are a few different factors that can make a site vulnerable, including:
The use of the PHP components
The request forgery prevention measures in place
An insecure design (for example, if POST data is sent without being encrypted)
Open source software that does not include security updates
Vulnerable URL and How to Bypass the SSRF Protection
The vulnerable URL for Senayan Library Management System is /bibliography/marcsru.php and the vulnerable function is /bibliography/marcsru.php?PHPSESSID=1e6c07f72d9174925f12fa3e042ee750&action=edit. An attacker can trick a user into clicking on a malicious link to bypass the protection.
The following image shows an example of how to bypass the SSRF protection in Senayan Library Management System by creating a malicious link that takes a user to /bibliography/marcsru.php?PHPSESSID=1e6c07f72d9174925f12fa3e042ee750&action=edit.
CVE-2020-39353
When a user uploads an image and saves it to the server, the system does not verify if the saved file is allowed. This vulnerability allows attackers to execute php code on the server after uploading an image. The output of this code would allow for a remote code execution attack.
Timeline
Published on: 09/12/2022 21:15:00 UTC
Last modified on: 09/15/2022 04:14:00 UTC