CVE-2024-0304 Overview
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in Youke365, a web application platform. This vulnerability exists in the file /app/api/controller/collect.php and allows remote attackers to manipulate the url parameter to perform unauthorized server-side requests. The exploit has been publicly disclosed, increasing the risk of active exploitation in the wild.
Critical Impact
This SSRF vulnerability enables unauthenticated remote attackers to force the server to make arbitrary HTTP requests, potentially accessing internal services, cloud metadata endpoints, and sensitive resources not normally exposed to the internet.
Affected Products
- Youke365 Youke 365 versions up to and including 1.5.3
Discovery Timeline
- 2024-01-08 - CVE-2024-0304 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-0304
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSRF flaw resides in the collect.php controller within the Youke365 application's API directory. The vulnerable endpoint fails to properly validate or sanitize the url parameter before processing server-side requests, allowing attackers to specify arbitrary URLs that the server will fetch on their behalf.
SSRF vulnerabilities are particularly dangerous because they can be leveraged to bypass firewalls and network access controls. An attacker can use the vulnerable server as a proxy to access internal network resources, cloud instance metadata services (such as AWS 169.254.169.254), or other services that trust requests originating from the server's IP address.
Root Cause
The root cause of this vulnerability is improper input validation in the /app/api/controller/collect.php file. The application accepts user-supplied URLs through the url parameter and processes them without implementing proper allow-lists, URL scheme restrictions, or internal IP address blocking. This allows attackers to craft malicious requests that bypass intended access controls.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending crafted HTTP requests to the vulnerable endpoint with malicious URL values in the url parameter. The server will then make requests to attacker-specified destinations, potentially returning sensitive data or triggering actions on internal systems.
The vulnerability can be exploited to:
- Access internal services and APIs not exposed to the internet
- Retrieve cloud provider metadata containing credentials
- Scan internal network ports and services
- Potentially pivot to other vulnerabilities in internal systems
Detection Methods for CVE-2024-0304
Indicators of Compromise
- Unusual outbound HTTP requests from the web server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the application server
- HTTP access logs showing requests to /app/api/controller/collect.php with suspicious URL parameters
- Unexpected network connections from the web server to localhost or loopback addresses
Detection Strategies
- Monitor and alert on outbound connections from the web server to RFC 1918 private IP ranges
- Implement Web Application Firewall (WAF) rules to detect SSRF payloads in request parameters
- Review access logs for the collect.php endpoint and analyze URL parameter values for malicious patterns
- Deploy network-level monitoring to detect connections to cloud metadata services from application servers
Monitoring Recommendations
- Enable detailed logging for all API endpoints, particularly /app/api/controller/collect.php
- Configure SentinelOne Singularity to monitor for anomalous network behavior from web application processes
- Set up alerts for DNS queries to internal hostnames or metadata service endpoints
- Implement egress filtering and monitor for policy violations
How to Mitigate CVE-2024-0304
Immediate Actions Required
- Restrict network access to the vulnerable endpoint /app/api/controller/collect.php until patching is possible
- Implement WAF rules to block SSRF attack patterns in the url parameter
- Apply network egress controls to prevent the web server from making requests to internal resources
- Review and remove the vulnerable functionality if it is not business-critical
Patch Information
No official vendor patch has been identified in the available CVE data. Organizations should monitor for updates from Youke365 and apply patches as soon as they become available. For additional technical details, consult the VulDB Advisory and the technical disclosure.
Workarounds
- Implement strict URL validation including allowlist-based domain/IP filtering in the application code
- Block outbound requests to private IP ranges and metadata service IPs at the network level
- Disable or remove the collect.php functionality if not required for business operations
- Deploy a reverse proxy that inspects and filters outbound requests from the application
# Example iptables rules to block SSRF to internal networks
# Block requests to private IP ranges from web server
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
