Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.
Recent assessments:
theguly at March 11, 2020 3:11pm UTC reported:
despite the age of this vuln, we still find vulnerable Alfresco, therefore itβs worth a quick assessment to me.
having tried to exploit /proxy?endpoint i think there is no known way to execute a βusefulβ attack.
endpoint parameter can be abused to only do GET, so to achieve a write against an internal endpoint you should first have to find something that accepts modification using GET. possible, but uncommon.
HTML for the requested endpoint will be sent back to the attacker, and this could be a useful information, but mostly info disclosure. again depends on whatβs in internal network, still possible but uncommon to find really juicy stuff.
plus, if my skills in reading java code are good enough, a quick code review in source code revealed that just http and https protocols are supported by calling Classe. no file:// or something can be used to achieve, say, LFI.
still useful to map internal network or dirty other serversβ log, and to collect information, but this vuln has a quite limited value to me.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5