CVE-2023-39110

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in rConfig version 3.9.4 within the file www/lib/ajaxHandlers/ajaxGetFileByPath.php. The path parameter from the GET request is passed directly to file_exists() without sufficient validation, allowing an attacker to inject arbitrary URLs. This code path is reachable only after authentication [1].

Exploitation

An authenticated attacker can send a crafted GET request to /ajaxGetFileByPath.php with a path parameter containing a malicious URL, such as file://localhost/etc/passwd or an internal HTTP address. The server then processes the request, effectively making the server-side application fetch the resource specified by the attacker. No additional user interaction is required beyond authentication [1].

Impact

Successful exploitation allows the attacker to force the server to make arbitrary requests, leading to local file disclosure (e.g., reading /etc/passwd) and potential probing of internal network services. The attacker gains the ability to read sensitive files and map internal infrastructure, escalating from an authenticated user to a broader information disclosure [1].

Mitigation

As of the publication date (2023-08-01), no official patch has been released for rConfig 3.9.4. The vendor has not yet addressed this vulnerability in the available references. Until a fix is provided, restrict access to the ajaxGetFileByPath.php endpoint via network controls or a web application firewall (WAF) to block suspicious path parameters [1].