There was a functionality in lithium community platform and was applicable for all 400+ clients including paypal,HP,ATT and many more ,In community.[company].com to upload avatars and image using URL .This allows to upload image file accessing URL.This caused SSRF which could produce severe and dangerous effect.Attacker can able to Scan internal and External Port,302 redirect at server level,FTP DOS and many.
Advisories published externaly about my Zero day SSRF findings in Lithium Community Platform:
This article is about SSRF vulnerability that I had recently found in an online helpdesk service provider company portal ,causes port scan and FTP DOS attack.I was awarded for finding this.In this, profile Image Upload functionality in user’s profile using Remote URL causing SSRF due to which attacker can do port scan,FTP dos attack and inappropriate information disclosure.
How does the vulnerability exist?
The company provides services to customers to upload there photo or image through url.Generally there should be some validation steps to be followed in server side while giving this services to any user.Here there are two cases in Company.
Case 1:–) Disable unwanted protocols –Allow only http and https to make requests to remote servers.But here FTP protocol access is opened. It seems that servers have VERY long timeout for their FTP requests. An attacker can use target to block requests for a prolonged time and FTP:// protocol which never timeouts.This will create DOS attack.
Below is upload via URL.
Intercept the request in Burp proxy and change to ftp and process the request.
Check the connection in netcat.
Check the timeout time in Burp which is 60Sec.
Case 2)—Port scan :–
Here attacker able to do portscan easily.Suppose I have to do portscan for esoln.net domain from victim server .Then by looking the server response attacker analyse which port is open and which is not open in esoln.net.check the POC for more details.
For Valid Open Port it is showing 200OK response
For Valid closed Port it is showing 503/502 response
Validated the above result with nmap scan to esoln.net
For your more info about SSRF:–