Server-side request forgery (SSRF) vulnerability

[LioTree]

https://gleezcms.org/http%3A%2F%2Fwww.google.com
https://gleezcms.org/gopher%3A%2F%2F127%2E0%2E0%2E1%3A9000%2F%5Ftest

if :// is in the path of url, gleezcms will use curl library to send request.

This vulnerability is far more dangerous than it looks like because curl supports gopher protocol, which is always used to attack php-fpm, redis, memecached and so on. If these application exists, this ssrf may cause remote code execution.

It seems that this vulnerability is caused by different version of kohana farmwork.

In classes/Kohana/Request.php of kohana core 3.2, it checks Request::$initial first, which prevents the default index.php from being able to proxy external pages.

https://github.com/kohana/core/blob/3.2/master/classes/kohana/request.php#L801

But in kohana core 3.3, it deletes the check of Request::$initial but uses $allow_external to prevents the default index.php from being able to proxy external pages.$alow_external is set to FALSE in index.php.

https://github.com/kohana/core/blob/3.3/master/classes/Kohana/Request.php#L678
https://github.com/kohana/kohana/blob/3.3/master/index.php#L117

The problem is gleezcms's index.php is similar with kohana 3.2, but the modules/gleez/classes/request.php is based on kohana 3.3 after d68b9c9, which means $allow_external is TRUE and index.php can be used to proxy external pages.