A user with a valid administrator account could leverage SSRF to perform arbitrary SSRF, e.g. to download another user’s data. A user with a valid administrator account could enable SSRF on a vulnerable server to download another user’s data.
Detection of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. cn.keking.web.controller.OnlinePreviewController#getCorsFile was detected by Cisco Talon as SSRF via Malware Signatures. Cisco Talon monitors endpoints for the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints monitors endpoints for the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures.
References
Cisco Talon detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures:
CN-KEKING-WEB-CONTROLLER#GETCORSFILE_A_SSRF_VIA_MALWARE_SIGNATURES
Summary
A user with a valid administrator account could enable SSRF on a vulnerable server to download another user’s data.
SSRF was detected by Cisco Talon as SSRF via Malware Signatures.
Summary of Cisco Talon detections for cn.keking.web.controller.OnlinePreviewController#getCorsFile
Cisco Talon detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures (.zip file name). Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures (cn.keking.web.controller.OnlinePreviewController#getCorsFile in config/configuration directory).
Cisco Talon Indicator of Compromise (IOC)
Cisco Talon monitors endpoints for the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of files called _keking_cn_sample.zip, which are detected as SSRF. Cisco Talon also detects the presence of cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures. Cisco Endpoints detects cn.keking.web.controller.OnlinePreviewController#getCorsFile as SSRF via Malware Signatures
Timeline
Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/18/2022 19:11:00 UTC