CVE-2017-16614 – This is a Server-Side Request Forgery (SSRF) vu... (How to Fix)

Q: What is the severity of CVE-2017-16614?

CVE-2017-16614 has a CVSS score of 9.8 (CRITICAL). This is a Server-Side Request Forgery (SSRF) vulnerability in tpshop e-commerce software that allows attackers to make the server send requests to internal or external systems. Attackers can potentially access sensitive information, attack internal network hosts, or achieve remote command execution. Affects tpshop versions 2.0.5 and 2.0.6.

📋 TL;DR

This is a Server-Side Request Forgery (SSRF) vulnerability in tpshop e-commerce software that allows attackers to make the server send requests to internal or external systems. Attackers can potentially access sensitive information, attack internal network hosts, or achieve remote command execution. Affects tpshop versions 2.0.5 and 2.0.6.

💻 Affected Systems

Products:

tpshop

Versions: 2.0.5, 2.0.6

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the WeChat payment plugin component of tpshop.

📦 What is this software?

Tpshop by Tp Shop

View all CVEs affecting Tpshop →

Tpshop by Tp Shop

View all CVEs affecting Tpshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote command execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Information disclosure from internal services and potential internal network reconnaissance.

🟢

If Mitigated

Limited to error messages or failed requests if proper network segmentation and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to the vulnerable endpoint with malicious URLs in the fBill parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.7 or later

Vendor Advisory: http://seclists.org/fulldisclosure/2018/Mar/77

Restart Required: No

Instructions:

1. Upgrade tpshop to version 2.0.7 or later. 2. Replace the vulnerable file plugins/payment/weixin/lib/WxPay.tedatac.php with the patched version. 3. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add URL validation to reject malicious URLs in the fBill parameter

Modify plugins/payment/weixin/lib/WxPay.tedatac.php to validate URLs before processing

Network Segmentation

all

Restrict outbound network access from the web server

Configure firewall rules to block web server access to internal networks

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with SSRF protection rules
Disable or remove the vulnerable WeChat payment plugin

🔍 How to Verify

Check if Vulnerable:

Send a request to the vulnerable endpoint with a URL pointing to an internal service in the fBill parameter and check if the server attempts to connect.

Check Version:

Check tpshop version in admin panel or configuration files

Verify Fix Applied:

Attempt the same SSRF test after patching; the server should reject or sanitize the malicious URL.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from web server to internal IPs
Requests to plugins/payment/weixin/lib/WxPay.tedatac.php with URL parameters

Network Indicators:

Web server making unexpected connections to internal services
Outbound requests to unusual ports from web server

SIEM Query:

source_ip=web_server AND dest_ip=internal_range AND protocol=HTTP

📊 Metadata

CVE ID: CVE-2017-16614

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: March 30, 2018

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2018/Mar/77 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2018/Mar/77 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-16614, you might also want to check these: