diff --git a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py index d930a484..3e32cf72 100644 --- a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py +++ b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py @@ -490,6 +490,18 @@ class SecuBoxAnalytics: full_url = request.pretty_url.lower() query = request.query body = request.content.decode('utf-8', errors='ignore').lower() if request.content else '' + content_type = request.headers.get('content-type', '').lower() + + # === CVE-2025-15467 CHECK FIRST (Content-Type based) === + # OpenSSL CMS AuthEnvelopedData stack overflow - must check before SSRF + if any(ct in content_type for ct in CMS_CONTENT_TYPES): + body_len = len(body) if body else 0 + severity = 'critical' if body_len > 1024 else 'high' + return { + 'is_scan': True, 'pattern': 'CVE-2025-15467', 'type': 'cve_exploit', + 'severity': severity, 'category': 'cms_attack', + 'cve': 'CVE-2025-15467' + } # Build combined search string search_targets = [path, full_url, body] @@ -551,7 +563,6 @@ class SecuBoxAnalytics: } # Check XXE (in body/headers for XML) - content_type = request.headers.get('content-type', '').lower() if 'xml' in content_type or body.startswith(' 1024 else 'high' - return { - 'is_scan': True, 'pattern': 'CVE-2025-15467', 'type': 'cve_exploit', - 'severity': severity, 'category': 'cms_attack', - 'cve': 'CVE-2025-15467' - } - # Check LDAP Injection for pattern in LDAP_INJECTION_PATTERNS: if re.search(pattern, combined, re.IGNORECASE):