cbcvebase.
CVE-2018-9302
published 2018-05-02

CVE-2018-9302: SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic…

PriorityP265critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
10.85%
95.3th percentile
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14611, which was about version 0.13.0, which (surprisingly) is an earlier version than 0.4.4.

Affected

1 ranges
VendorProductVersion rangeFixed in
getcockpitcockpit0.4.4 – 0.5.5

Detection & IOCsextracted from sources · hover to see the quote

path/assets/lib/fuc.js.php
url/assets/lib/fuc.js.php?url=http://myserver/redirect.php
  • Monitor HTTP GET requests to /assets/lib/fuc.js.php containing a 'url' parameter — this is the SSRF trigger endpoint for CVE-2018-9302.
  • Alert on requests to /assets/lib/fuc.js.php where the 'url' parameter contains internal/RFC-1918 IP addresses or non-HTTP(S) schemes (gopher, dict, ldap, imap, pop3, smtp, telnet, tftp, ftp) indicating SSRF/protocol abuse.
  • The exploit relies on open redirect via an attacker-controlled redirect.php to bypass URL validation; watch for outbound requests from the web server that were initiated by /assets/lib/fuc.js.php following a redirect chain to internal hosts.
  • CURLOPT_FOLLOWLOCATION being set to 1 (default) enables redirect-based SSRF; detection should flag any server-side curl activity originating from fuc.js.php that reaches RFC-1918 address space.
  • ·The SSRF is exploitable without curl if PHP's allow_url_fopen is enabled (which is the default), limiting protocol support to http, https, and ftp in that case.
  • ·When curl IS available, the attacker can leverage additional protocols (gopher, tftp, dict, ldap, imap, pop3, smtp, telnet) significantly expanding the attack surface beyond simple HTTP SSRF.
  • ·This CVE affects Cockpit versions 0.4.4 through 0.5.5 and is an incomplete fix of CVE-2017-14611 (which affected version 0.13.0 — a numerically earlier but chronologically older release).

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.