CVE-2023-39109

Vulnerability

The vulnerability is a Server-Side Request Forgery (SSRF) in rConfig version 3.9.4. It resides in the doDiff() function within classes/compareClass.php. The path_a parameter, passed via HTTP GET to www/lib/crud/configcompare.crud.php, is insufficiently sanitized before being used in the file() function, allowing an attacker to inject arbitrary URLs [1]. The vulnerability affects rConfig 3.9.4 running on PHP 7.x [1].

Exploitation

An authenticated attacker can exploit this by sending a crafted HTTP request to configcompare.crud.php with a malicious path_a parameter containing a target URL (e.g., http://internal-service:8080/). The application will then make a request to that URL using server-side resources [1]. The attacker does not require any special privileges beyond authentication.

Impact

Successful exploitation allows the attacker to perform Server-Side Request Forgery, enabling them to probe internal network resources, access local files via the file:// protocol, or interact with other internal services. This can lead to information disclosure and further compromise of the network [1].

Mitigation

As of publication, no official patch has been released for this vulnerability [1]. Users should implement strict input validation on the path_a parameter, restrict outbound HTTP requests from the server, and apply network segmentation to limit the impact of SSRF attacks.