cbcvebase.
CVE-2023-39110
published 2023-08-01

CVE-2023-39110: rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows…

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.75%
84.3th percentile
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

path/lib/ajaxHandlers/ajaxGetFileByPath.php
urlfile://localhost/etc/passwd
yara
regex: root:.*:0:0:
  • Monitor HTTP GET requests to /lib/ajaxHandlers/ajaxGetFileByPath.php with a 'path' parameter containing file:// or other non-HTTP URI schemes, indicating SSRF/LFI exploitation attempts.
  • Successful exploitation returns /etc/passwd content in the response body; detect responses matching 'root:.*:0:0:' from this endpoint.
  • Shodan/FOFA exposure queries for rConfig instances: search for http.title:'rConfig' or title='rconfig' to identify internet-exposed targets.
  • Attack requires prior authentication; monitor for login attempts to /lib/crud/userprocess.php followed immediately by requests to the vulnerable ajaxGetFileByPath.php endpoint.
  • ·Exploitation requires valid credentials; the attack chain is: authenticate via /lib/crud/userprocess.php, then inject a crafted URL (e.g., file://localhost/etc/passwd) into the 'path' parameter of /lib/ajaxHandlers/ajaxGetFileByPath.php.
  • ·The vulnerable endpoint path differs slightly between the NVD description (/ajaxGetFileByPath.php) and the actual PoC template (/lib/ajaxHandlers/ajaxGetFileByPath.php); use the full path for detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.