CVE-2023-39108: 
rConfig vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in rConfig version 3.9.4, identified as CVE-2023-39108. The vulnerability exists in the doDiff function of /classes/compareClass.php and allows authenticated attackers to make arbitrary requests through the injection of crafted URLs via the pathb parameter ([GitHub Advisory](https://github.com/zer0yu/CVERequest/blob/master/rConfig/rConfigpathb.md), NVD).

The vulnerability resides in the doDiff() function within classes/compareClass.php. The issue stems from insufficient validation of the pathb parameter in www/lib/crud/configcompare.crud.php. The vulnerability follows a specific function call stack where the tainted input from the pathb parameter is passed through the file function, ultimately leading to SSRF. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability enables authenticated attackers to perform arbitrary file reads and make requests to internal and external resources. For example, attackers can use the file:// protocol to read sensitive system files like /etc/passwd or probe internal web services (GitHub Advisory).