SSRF to LFI in Interspire Email Marketer

Vendor of product: Interspire

Product: Email Marketer

Affected function: Administrator function

Affected Version: <= 6.1.6 (Maybe the latest version 6.1.8 is also affected)

Authentication: Authentication is required to exploit the vulnerability. Attacker may bypass authentication by using CVE-2017–14322 — Many organizations still use the old version (< 6.1.6)

Affected Component: admin/functions/remote.php

Attack Type: Remote

If what parameter is importurl, application will get url parameter and use curl_exec function. Attacker can control url to make ssrf request:

Application will create http request to attacker`s server:

Attacker can make LFI (Local File Inclusion) with file:// schema:

Attacker can read any file on system.