phpThumb 1.7.12 Server Side Request Forgery

Risk: Low
Local: No
Remote: Yes

#phpThumb 'phpThumbDebug' Server Side Request Forgery #Google Dork: inurl:phpThumb.php #Author: Rafay Baloch And Deepanker Arora #Company: RHA InfoSEC #Impact: High #Vendor: #Version: 1.7.12 #Status: Reported And Fixed =========== Description =========== A server side request forgery is not a single vulnerability, however it represents different classes of vulnerability. In a server side request forgery an attaker creates forged packets to communicate with the intra/internet by using the vulnerable server as a pivot point. Several other different attacks can be performed, however we will keep it at a basic level for a better understanding. =========== Explanation =========== The debug mode in phpThumb was introduced for trouble shooting purposes, however the debug mode when turned can result in a server side request forgery. By exploiting it a SSRF vulnerability an attacker may be able to scan local or remote ports, fingerprint services etc. Let's take a look at the piece of code responsible for fetching an external image: if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) { $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.') succeeded'.($error ? ' with messsages: "'.$error.'"' : ''), __FILE__, __LINE__); $phpThumb->DebugMessage('Setting source data from URL "'.$phpThumb->src.'"', __FILE__, __LINE__); $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src)); } else { $phpThumb->ErrorImage($error); } } if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error, $phpThumb->config_http_fopen_timeout, $phpThumb->config_http_follow_redirect)) { $md5s = md5($rawImageData); } The above code is responsible for fetching an external image file with the "src" parameter. The code doesn't checks if the image retrived is actually a valid image. Therefore, under debug mode set to "True" it would display the error message received from the lower layer network sockets which would enable an attacker to launch a server side request forgery attack. Furthurmore, I noticed that there was a validation being perfomed for protocols such as file://. if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) { However, this doesn't prevent this attack completly, as an attacker may be able to leverage other protocols such as gopher://, dict:// etc in order to exploit this vulnerability. Proof of Concept ================ has known ports 22, 80 and 25 open, In case where the server errors are turned on, there would be a distinct response by probing open ports vs closed ports. Open Port Open port Closed port Remedy ====== It is recommended to turn off the "debug" mode. The debug mode can be modfying by changing the following lines inside the php code. "$PHPTHUMB_CONFIG['disable_debug']= false;" With: "$PHPTHUMB_CONFIG['disable_debug']= true;". Fix === 1) The authors explicitly disabled all other protocols then http/https/ftp protocols. This minimizes few of the attack vectors. 2) The debug_mode has been disabled and the "High Security Mode" has been enabled by default in version phpThumb 1.7.12. Take a look at the author's note: 3) Further security improvements are to be done in the future versions. References ==========


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top