CVE-2022-28997
📋 TL;DR
CVE-2022-28997 is a Server-Side Request Forgery (SSRF) vulnerability in CSZCMS v1.3.0 that allows attackers to make the server request internal resources, potentially leading to local file inclusion and data leakage. Attackers can exploit the /admin/filemanager/connector/ endpoint to access sensitive files. This affects all systems running the vulnerable version of CSZCMS.
💻 Affected Systems
- CSZCMS
📦 What is this software?
Cszcms by Cszcms
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through SSRF chained with local file inclusion, potentially leading to complete system compromise and data exfiltration.
Likely Case
Sensitive file disclosure including configuration files, credentials, and internal network information via SSRF and LFI.
If Mitigated
Limited impact if proper network segmentation and file permissions are in place, though some information leakage may still occur.
🎯 Exploit Status
Exploitation requires access to the admin filemanager connector endpoint, which may require authentication depending on configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Restrict access to filemanager connector
allBlock or restrict access to the vulnerable /admin/filemanager/connector/ endpoint using web server configuration or firewall rules.
# Apache: <Location /admin/filemanager/connector/>
# Order deny,allow
# Deny from all
# </Location>
# Nginx: location /admin/filemanager/connector/ { deny all; }
Implement input validation
allAdd server-side validation to reject SSRF attempts and restrict file paths in the filemanager component.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the CSZCMS server from internal resources.
- Deploy a web application firewall (WAF) with SSRF and LFI protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if CSZCMS version is 1.3.0 and if /admin/filemanager/connector/ endpoint is accessible and responds to SSRF payloads.Check Version:
Check CSZCMS configuration files or admin panel for version information.Verify Fix Applied:
Test that SSRF payloads no longer work and the filemanager connector endpoint is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /admin/filemanager/connector/ with external URLs or local file paths
- Multiple failed attempts to access restricted files
Network Indicators:
- Outbound requests from the server to internal IPs or services triggered by web requests
- Unusual file access patterns from the web server process
SIEM Query:
source="web_logs" AND (uri="/admin/filemanager/connector/" AND (query CONTAINS "http://" OR query CONTAINS "file://"))🔗 References
- https://i.imgur.com/BwWTfYU.png
- https://i.imgur.com/S1F7MaJ.png
- https://i.imgur.com/pzWjkXI.png
- https://i.imgur.com/xxjxnGk.png
- https://packetstormsecurity.com/files/166613/CSZCMS-1.3.0-SSRF-LFI-Remote-Code-Execution.html
- https://i.imgur.com/BwWTfYU.png
- https://i.imgur.com/S1F7MaJ.png
- https://i.imgur.com/pzWjkXI.png
- https://i.imgur.com/xxjxnGk.png
- https://packetstormsecurity.com/files/166613/CSZCMS-1.3.0-SSRF-LFI-Remote-Code-Execution.html
