[Vuln] SSRF vulnerability in `curl_init` Function of `loader.php` File (ccv latest version)

[zer0yu]

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: latest Test with PHP 7.2

The vulnerable code is located in the ccv/js/loader.php file, which does not sufficiently validate the src parameter, leading to a taint introduced from the $url variable into the tainted function curl_init, which after the execution of the curl_exec function sends a request to the URL specified by the src parameter, eventually leading to an SSRF vulnerability.

$url = urldecode(filter_var($_GET['src']));
......
    $curl = curl_init($url);
    $options = array(CURLOPT_HEADER => false,
                     CURLOPT_TIMEOUT => 30,
                     CURLOPT_FILE => $output,
                     CURLOPT_FOLLOWLOCATION => true);
    curl_setopt_array($curl, $options);
    $result = curl_exec($curl);
......
}

Because the src parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows:

curl http://172.16.119.1:81/loader.php?src=http://172.16.119.1/testpoc -i

[liuliu]

This file is removed per https://github.com/liuliu/ccv/commit/01506183ca04c01e57a95e4e9932bbe20e93750b