CVE-2023-39110
📋 TL;DR
CVE-2023-39110 is a Server-Side Request Forgery (SSRF) vulnerability in rconfig v3.9.4 that allows authenticated attackers to make arbitrary HTTP requests from the vulnerable server via the /ajaxGetFileByPath.php endpoint. This can lead to internal network reconnaissance, data exfiltration, or attacks against internal systems. Organizations running rconfig v3.9.4 with authenticated user access are affected.
💻 Affected Systems
- rconfig
📦 What is this software?
Rconfig by Rconfig
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal systems, access sensitive internal services, exfiltrate data, or perform attacks against cloud metadata services leading to complete compromise of internal infrastructure.
Likely Case
Internal network scanning, accessing internal APIs or services, retrieving sensitive information from internal systems, or performing limited attacks against adjacent systems.
If Mitigated
Limited impact with proper network segmentation, egress filtering, and authentication controls preventing unauthorized access to sensitive internal resources.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.9.5 or later
Vendor Advisory: https://github.com/rconfig/rconfig/releases
Restart Required: Yes
Instructions:
1. Backup current rconfig installation and database. 2. Download and install rconfig v3.9.5 or later from official repository. 3. Follow upgrade instructions in release notes. 4. Restart web server and verify functionality.
🔧 Temporary Workarounds
Restrict access to vulnerable endpoint
allBlock or restrict access to /ajaxGetFileByPath.php via web server configuration or WAF rules
# Apache: RewriteRule ^ajaxGetFileByPath\.php$ - [F,L]
# Nginx: location ~ ^/ajaxGetFileByPath\.php$ { deny all; }
Implement network egress filtering
linuxRestrict outbound HTTP/HTTPS requests from rconfig server to only necessary destinations
# iptables example: iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate rconfig server from sensitive internal systems
- Enforce strong authentication controls and monitor for suspicious authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check if running rconfig v3.9.4 by examining version files or web interface footer. Test authenticated access to /ajaxGetFileByPath.php with SSRF payloads.Check Version:
grep -r 'version' /path/to/rconfig/install/ | grep -i '3.9.4'Verify Fix Applied:
Verify installation of rconfig v3.9.5 or later. Test that /ajaxGetFileByPath.php endpoint properly validates and restricts URL parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ajaxGetFileByPath.php
- Requests with external URLs in path parameter
- Multiple failed authentication attempts followed by SSRF attempts
Network Indicators:
- Outbound HTTP requests from rconfig server to unusual internal IPs or external domains
- Traffic patterns indicating internal network scanning
SIEM Query:
source="web_server" AND (url="/ajaxGetFileByPath.php" OR url LIKE "%ajaxGetFileByPath%") AND (post_data LIKE "%http://%" OR post_data LIKE "%https://%")