Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: October 20, 2021
OverviewIn Camaleon CMS, versions 188.8.131.52 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server.
DetailsCamaleon CMS Media upload feature as shipped with Camaleon CMS versions 184.108.40.206 to 2.6.0 allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers which may allow attackers to send requests and read responses from internal URLs via SSRF.
PoC DetailsOn the Camaleon machine, create a file called “lol.txt” in the home directory.
Now start a local python server.
In the Camaleon CMS application, login as an administrator user. Go to the Media tab on the right. Choose Upload from URL, enter the below URL and submit. We see that the file is uploaded from localhost and can be read in the Information pane or by accessing the url.
// Command to start the python server sudo python3 -m http.server 80 --bind 127.0.0.1 // URL to submit: http://127.0.0.1/lol.txt
Affected EnvironmentsCamaleon CMS versions 220.127.116.11 to 2.6.0
PreventionUpdate to camaleon_cms version 18.104.22.168
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||High|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|