K2 Smartforms version 4.6.11 suffers from a server-side request forgery vulnerability.
bfed1b3b47a40579a99e3b278436f4f9ebafa9072390b9d0c7be68ca11156e09# Vulnerability type: Server Side Request Forgery
# Vendor: https://www.k2.com/
# Product: K2 Smartforms
# Affected version: 4.6.11
# Credit: Foo Jong Meng
# CVE ID: CVE-2018-9920
# DESCRIPTION:
Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL.
By replacing the "GET" parameter to any external domain (i.e. https://www.external-domain.com) while accessing the affected application (e.g.
https://url/Identity/STS/Forms/Scripts).
The resulting page shows URL with https://url/Identity/STS/Forms/Scripts but rendering https://www.external-domain.com in the body (aka local web defacement).
A port scan on the internal servers can be performed by changing the "GET" parameter URL and analysing the results of the return page.
# PROOF OF CONCEPT:
1. Use a web proxy (i.e zapproxy, burp) to intercept "GET" request for:
https://url/Identity/STS/Forms/Scripts
2. Replace the "GET" parameter to any external domain (i.e. https://www.external-domain.com/)
3. The resulting page is one with https://url/Identity/STS/Forms/Scripts but showing https://www.external-domain.com/ in the body.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed