Security Issue: Local Port Scan

[theMiddleBlue]

Hi,

during a vulnerability assessment, I've seen this script included into a WordPress plugin, that allowed me to check if a TCP port was listening on the localhost or local network of my target by reading the different returned errors:

# An open 22/tcp port:
$ curl -s 'http://target/wp-content/plugins/-redacted-/html2canvasproxy.php?url=http://127.0.0.1:22'
console.log("error: html2canvas-proxy-php: This request did not return a HTTP response valid");

# A closed 1234/tcp port:
$ curl -s 'http://target/wp-content/plugins/-redacted-/html2canvasproxy.php?url=http://127.0.0.1:1234'
console.log("error: html2canvas-proxy-php: SOCKET: Connection refused(111)");

Moreover, in the specific environment of the plugin, I was able to store a "Cross-Site Scripting" making this script to get a text/html content that includes not sanitized JavaScript syntax. Obviously, in this case, the problem is not related to html2canvas script but to the way is used.

Probably, in my humble opinion, it should not be possible to request ports different then tcp/80 and tcp/443 if not explicitly allowed by configuration, and it should remove javascript syntax before store the output file.

Sorry for any inaccuracies, let me know if you need more details.

[brcontainer]

@theMiddleBlue I clearly understand, thanks for the suggestions, about sanitizing the HTML and I will also block the ports (allowed by defined('ALLOWED_PORTS', array(80, 443))) - Thanks! :)

[brcontainer]

@theMiddleBlue security improvements: 2f66804

For domains change this line define('H2CP_ALLOWED_DOMAINS', array( '*' ));:

• Use * for allow all domains
• For use sub-domains use like this *.site.com
• For fixed domains use like this array( 'site.com', 'www.site.com' )

For define allowed ports use define('H2CP_ALLOWED_PORTS', array( 80, 443 ));, default ports are 80 and 443