CVE-2018-18867

Vulnerability

The upload.php script in Responsive FileManager version 9.13.4 contains a server-side request forgery (SSRF) vulnerability via the url parameter. The script attempts to download a remote image, but the fix for CVE-2018-15495 only checks that the URL starts with http:// or https://, failing to block requests to internal IP addresses. This allows an attacker to supply a URL pointing to an internal host, such as http://127.0.0.1:2233/aaaaaaa. [1]

Exploitation

An attacker can send a POST request to /filemanager/upload.php with parameters fldr and url set to an internal address. No authentication is required if the file manager is publicly accessible. The server will attempt to fetch the URL, and the response indicates whether the port is open (returning {"error":"Invalid URL"}) or closed (different error). This allows the attacker to scan internal ports and services. [1]

Impact

Successful exploitation enables an attacker to probe internal network services, potentially identifying live hosts and open ports behind the firewall. This information can be used to plan further attacks against internal systems. The vulnerability does not directly allow remote code execution or data exfiltration, but it aids in reconnaissance. [1]

Mitigation

The vendor has not released a patched version as of the publication date. Users should restrict access to the upload.php script, implement network-level controls to block outbound requests to internal IPs, or apply additional input validation to reject private IP ranges. [1]