An SSRF (Server-Side Request Forgery) vulnerability was identified in the LyLme_spage version 1.9.5. This vulnerability allows internal network requests to be initiated and sensitive information to be retrieved by accessing a specific URL.
Details
The vulnerability resides in the get_head function which is used to fetch and process web page titles, icons, descriptions, and keywords. However, through manipulation of the URL parameter accessed through http://192.168.0.10:1006/apply/index.php?url=[malicious_URL], an attacker can force the application to make arbitrary requests to internal services.
https://github.com/LyLme/lylme_spage/blob/b7c430a49e8b247ddb04401b1176157c10d52948/include/function.php#L211-L265
This is made possible due to insufficient validation of the user-supplied URL, allowing for the specification of arbitrary URLs that the server will then request data from. Consequently, this behavior can be exploited to interact with and extract information from services that are only accessible from the server's internal network.
Impact
An attacker can exploit this vulnerability to conduct SSRF attacks, leading to unauthorized access to internal network services. This might result in the disclosure of sensitive information, interaction with internal APIs, or further exploitation depending on the nature of the accessible services. The impact is considerably high since it directly affects the confidentiality and integrity of the system.
wanghualei2
commented
1 month ago
Summary
An SSRF (Server-Side Request Forgery) vulnerability was identified in the LyLme_spage version 1.9.5. This vulnerability allows internal network requests to be initiated and sensitive information to be retrieved by accessing a specific URL.
Details
The vulnerability resides in the get_head function which is used to fetch and process web page titles, icons, descriptions, and keywords. However, through manipulation of the URL parameter accessed through http://192.168.0.10:1006/apply/index.php?url=[malicious_URL], an attacker can force the application to make arbitrary requests to internal services. https://github.com/LyLme/lylme_spage/blob/b7c430a49e8b247ddb04401b1176157c10d52948/include/function.php#L211-L265 This is made possible due to insufficient validation of the user-supplied URL, allowing for the specification of arbitrary URLs that the server will then request data from. Consequently, this behavior can be exploited to interact with and extract information from services that are only accessible from the server's internal network.
Impact
An attacker can exploit this vulnerability to conduct SSRF attacks, leading to unauthorized access to internal network services. This might result in the disclosure of sensitive information, interaction with internal APIs, or further exploitation depending on the nature of the accessible services. The impact is considerably high since it directly affects the confidentiality and integrity of the system.
Proof of Concept (PoC)