OpenBMCS Unauthenticated Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in OpenBMCS version 2.4. This vulnerability allows unauthenticated attackers to bypass firewalls and conduct service and network enumeration on the internal network via the affected application. Exploitation of this vulnerability could lead to hijacking of current user sessions. The issue arises because the application does not properly validate user-supplied data in the 'ip' parameter, allowing external domains to be specified and HTTP requests to be made to arbitrary destination hosts.

Impact

Exploitation of this vulnerability could result in unauthorized network access, allowing attackers to enumerate internal services and potentially hijack user sessions. Additionally, this vulnerability could be exploited to execute cross-site scripting attacks by injecting malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to '/php/query.php' with an unvalidated 'ip' parameter. The application will process the request and, due to the lack of validation, can be directed to make requests to external domains. This can be done using common tools like curl or Postman.