CVE-2023-39108

Vulnerability

rConfig version 3.9.4 contains a Server-Side Request Forgery (SSRF) vulnerability in the doDiff() function within /classes/compareClass.php. The path_b parameter, received via GET request in /www/lib/crud/configcompare.crud.php, is insufficiently sanitized and passed to the file() function in doDiff(). This allows an authenticated attacker to inject arbitrary URLs. The vulnerability requires authentication and affects all rConfig 3.9.4 installations [1].

Exploitation

An authenticated attacker can exploit this by sending a crafted GET request to the configcompare.crud.php endpoint with a malicious URL in the path_b parameter. The application will then use the server's HTTP context to request the injected URL, allowing the attacker to probe internal network resources or interact with external systems. No special network position is required beyond network access to the rConfig application [1].

Impact

Successful exploitation results in a Server-Side Request Forgery (SSRF), enabling the attacker to make arbitrary HTTP requests from the rConfig server. This can be used to scan internal networks, access internal services, or interact with cloud metadata endpoints, potentially leading to information disclosure or further lateral movement [1].

Mitigation

As of the available references, no patch has been released for rConfig 3.9.4. Users should restrict access to the rConfig application to trusted IPs, apply strict input validation on the path_b parameter, and monitor for unusual outbound traffic from the server. Consider disabling the vulnerable functionality until a fix is available. The vendor has not published a fixed version as of August 2023 [1].