CVE-2023-3744
📋 TL;DR
CVE-2023-3744 is a Server-Side Request Forgery vulnerability in SLims 9.6.0 that allows authenticated attackers to make requests to internal services or read files via the scrape_image.php file. This affects all SLims 9.6.0 installations with the vulnerable component enabled. Attackers can potentially access sensitive internal systems or exfiltrate data.
💻 Affected Systems
- SLims
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network services, data exfiltration from internal systems, and potential lateral movement to other critical infrastructure.
Likely Case
Unauthorized access to internal services, file disclosure from accessible systems, and potential credential harvesting from internal endpoints.
If Mitigated
Limited to authenticated user access only, with network segmentation preventing access to critical internal systems.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.6.1 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/server-side-request-forgery-slims
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Download SLims 9.6.1 or later from official source. 3. Replace affected files. 4. Restart web server. 5. Verify functionality.
🔧 Temporary Workarounds
Disable scrape_image.php
linuxRemove or restrict access to the vulnerable scrape_image.php file
mv /path/to/slims/scrape_image.php /path/to/slims/scrape_image.php.disabled
Implement input validation
allAdd strict URL validation to the imageURL parameter
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SLims from internal services
- Deploy web application firewall with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if SLims version is 9.6.0 and scrape_image.php exists in the installation directoryCheck Version:
Check SLims configuration file or admin panel for version informationVerify Fix Applied:
Verify SLims version is 9.6.1 or later and test that scrape_image.php properly validates URLs📡 Detection & Monitoring
Log Indicators:
- Unusual requests to scrape_image.php with external/internal URLs
- Multiple failed authentication attempts followed by scrape_image.php access
Network Indicators:
- Outbound connections from SLims server to internal services not normally accessed
- Unusual traffic patterns from SLims to internal network segments
SIEM Query:
source="slims_access.log" AND uri="/scrape_image.php" AND (url="*://*" OR url="*://127.*" OR url="*://192.168.*" OR url="*://10.*" OR url="*://172.16.*")