Senayan Library Management System Server-Side Request Forgery Vulnerability in scrape_image.php Component

A server-side request forgery (SSRF) vulnerability has been identified in Senayan Library Management System (SLiMS) 9 Bulian version 9.6.1. The issue arises in the scrape_image.php component, where the imageURL parameter is not properly validated, allowing remote attackers to execute arbitrary code by sending crafted URLs. The vulnerability exploitation could lead to unauthorized actions or access to sensitive data within the application or on connected back-end systems. In some cases, it might even allow for arbitrary command execution.

Impact

Exploitation of this vulnerability could result in unauthorized requests being made from the server to internal services or resources, potentially leading to exposure of sensitive data or allowing the attacker to perform actions on behalf of the server. In this case, the vulnerability was exploited to retrieve the hostname of the application server, demonstrating the potential for SSRF attacks to access internal information or services.

Reproduction

The vulnerability can be reproduced by sending a POST request to the scrape_image.php endpoint with a crafted imageURL parameter that points to a server-controlled URL. The server will then make a request to the specified URL, bypassing normal security restrictions and potentially allowing the attacker to access internal resources or execute arbitrary code.

Remediation

Users are advised to update to the latest version of Senayan Library Management System (SLiMS) 9 Bulian, where this vulnerability has been addressed. For those unable to update, it is recommended to implement additional input validation to restrict URL schemes to only 'http' and 'https', block access to private IP ranges, and enforce size and content validation on fetched images.