CVE-2023-46236
📋 TL;DR
CVE-2023-46236 is a server-side request forgery (SSRF) vulnerability in FOG Project that allows unauthenticated attackers to make arbitrary GET requests from the server to internal or external endpoints. This can lead to file disclosure, internal network scanning, and potential further exploitation depending on server configuration. All FOG Project installations before version 1.5.10 are affected.
💻 Affected Systems
- FOG Project
📦 What is this software?
Fogproject by Fogproject
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via chained attacks, sensitive file disclosure, internal network reconnaissance, and potential lateral movement to other systems.
Likely Case
Unauthorized access to files readable by Apache user, internal service enumeration, and potential credential harvesting from internal endpoints.
If Mitigated
Limited impact with proper network segmentation, but still exposes internal services to enumeration and potential information disclosure.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and this requires no authentication. Public exploit code exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.10
Vendor Advisory: https://github.com/FOGProject/fogproject/security/advisories/GHSA-8qg4-9363-873h
Restart Required: Yes
Instructions:
1. Backup current FOG installation and database. 2. Download FOG 1.5.10 from official repository. 3. Follow upgrade instructions at https://wiki.fogproject.org/wiki/index.php?title=Upgrade_to_trunk. 4. Restart Apache service. 5. Verify patch application.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict Apache user network access using firewall rules to prevent SSRF requests to internal networks.
iptables -A OUTPUT -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -m owner --uid-owner apache -j DROP
Apache Configuration Hardening
linuxLimit Apache user permissions and file access through proper SELinux/AppArmor policies.
setsebool -P httpd_can_network_connect off
chmod 750 /var/www/html/fog
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FOG server from sensitive internal networks
- Deploy web application firewall (WAF) with SSRF protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check FOG version via web interface or run: grep 'FOG_VERSION' /var/www/html/fog/lib/fog/system.class.phpCheck Version:
grep "define.*FOG_VERSION" /var/www/html/fog/lib/fog/system.class.php | head -1Verify Fix Applied:
Verify version is 1.5.10 or higher and test SSRF attempts return proper error responses📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Apache process
- Access to /fog/management/index.php?node=about with suspicious parameters
- Failed attempts to access internal IP addresses from web server
Network Indicators:
- HTTP requests from FOG server to internal IP ranges on unusual ports
- Multiple GET requests to sequential internal IP addresses
SIEM Query:
source="apache_access.log" AND (uri="/fog/management/index.php" AND query="*node=about*") AND (src_ip="FOG_SERVER_IP")🔗 References
- https://github.com/FOGProject/fogproject/commit/9125f35ff649a3e7fd7771b1c8e5add3c726f763
- https://github.com/FOGProject/fogproject/security/advisories/GHSA-8qg4-9363-873h
- https://github.com/FOGProject/fogproject/commit/9125f35ff649a3e7fd7771b1c8e5add3c726f763
- https://github.com/FOGProject/fogproject/security/advisories/GHSA-8qg4-9363-873h
