You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Server-Side Request Forgery (SSRF) in weixin.php file of [chatgpt-wechat-personal](a0857f6) allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs by post a XML data. It should be noted that this vulnerability can be triggered without the need for authentication and is therefore more harmful.
The vulnerable code is located in the weixin.php file. Because the function does not perform sufficient checksumming on user-input, the taint is introduced from the file_get_contents("php://input") variable into the tainted function simplexml_load_string , and after the simplexml_load_string function is executed it sends a request to the URL specified by the user-provided URL, eventually leading to an SSRF vulnerability.
Because the user-provided post data is unrestricted, it is also possible to use the server side to send requests, such as probing web services. The corresponding PoC is as follows:
SSRF vulnerability in
weixin.php
File (chatgpt-wechat-personal)0x01 Affected version
vendor: https://github.com/dirk1983/chatgpt-wechat-personal
version: [release](a0857f6)
php version: 7.0.30
libxml 2.8.0
0x02 Vulnerability description
A Server-Side Request Forgery (SSRF) in
weixin.php
file of [chatgpt-wechat-personal](a0857f6) allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs by post a XML data. It should be noted that this vulnerability can be triggered without the need for authentication and is therefore more harmful.The vulnerable code is located in the
weixin.php
file. Because the function does not perform sufficient checksumming on user-input, the taint is introduced from thefile_get_contents("php://input")
variable into the tainted functionsimplexml_load_string
, and after thesimplexml_load_string
function is executed it sends a request to the URL specified by the user-provided URL, eventually leading to an SSRF vulnerability.Because the user-provided post data is unrestricted, it is also possible to use the server side to send requests, such as probing web services. The corresponding PoC is as follows:
You can also request the following curl command
0x03 Mitigation
It is recommended to disable external entities by adding the following line at the beginning of the code
0x04 Acknowledgement
z3
The text was updated successfully, but these errors were encountered: