CVE-2023-24515 - Exploiting SSRF in Pandora FMS API Checker – A Deep Dive

Pandora FMS (Flexible Monitoring System) is a robust and widely used open-source monitoring tool for IT infrastructure. But like any software, it can have security flaws—and one of the recently disclosed vulnerabilities is CVE-2023-24515. This bug is a Server-Side Request Forgery (SSRF) that lurks inside the API checker wizard, and it can let attackers steal sensitive files from the server.

In this long read, we’ll break down what this vulnerability is, how it can be exploited, and what you can do to stay safe.

What is CVE-2023-24515?

CVE-2023-24515 is a security issue inside Pandora FMS (versions 767 and older) which lets attackers abuse a missing check in the API checker tool. When Pandora gets a URL to check, it simply tries to open it—no matter what kind of URL it is, including dangerous ones like file://. With the right tricks, a hacker can read files from your server.

Why is this Dangerous?

SSRF means that an attacker is able to make requests from the application’s server, usually to otherwise-protected internal resources. If a web app gets told to fetch something, and does so without limits, it’s a problem. If it can fetch files, it’s even worse. CVE-2023-24515 lets attackers ask Pandora FMS to fetch *any* file, including sensitive system files!

Vulnerable Component: API Checker

The API checker tool in Pandora FMS doesn't validate which URL schemes are allowed. Normally, it should only accept http:// or https://, but here, even file:// and others are fair game.

`

file:///etc/passwd

`

2. Pandora FMS dutifully tries to fetch the file as if it were a remote webpage, and—even worse—shows the file’s contents back in the web interface.

Exploit: Step-by-Step

Let’s walk through a *simplified* attack example. Let’s say you’re in Pandora FMS v767 and have access to the API checker tool (necessary privileges required).

- In the *API URL* input, instead of a regular API endpoint like

  http://api.example.com/status
  

use a file:// URL to an interesting file, for example

  file:///etc/passwd
  

Submit the form.

- If vulnerable, you’ll see the full contents of the server’s /etc/passwd file in the result.

Here is a simple proof-of-concept using curl (if the form uses POST)

curl -X POST \
    -d "api_url=file:///etc/passwd" \
    -b "PHPSESSID=your-session-cookie" \
    https://your-pandora-fms.example.com/pandora_console/api_checker_endpoint.php

Impact

- Sensitive file disclosure: /etc/passwd, /etc/shadow (if permissions allow), application config files… all are at risk.
- Internal network access: If an attacker can reach the API checker, they could also hit internal network services (SSRF to localhost).

Mitigation

- Upgrade: Update Pandora FMS to the latest version! Official download page

If you’re customizing Pandora, validate input like this (PHP example)

$url = $_POST['api_url'];
$parsed = parse_url($url);
if (!in_array($parsed['scheme'], ['http', 'https'])) {
    die('Invalid URL scheme!');
}
// ...proceed with fetching...

References

- NIST NVD Record for CVE-2023-24515
- Pandora FMS Security Advisories
- OWASP SSRF Cheat Sheet

Conclusion

CVE-2023-24515 is a clear example of why validating user input—especially URLs—is so critical. SSRF bugs can be tricky to spot but often have devastating effects when combined with file handler schemes like file://. If you run Pandora FMS v767 or earlier, upgrade *today* and check your input defenses.

Stay safe, and keep monitoring—securely!

*This article is exclusive and intended for educational purposes. Always test on your own systems and with permission.*

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 10/18/2023 12:15:00 UTC