=============================================================================
Title : CakePHP Xml class SSRF Vulnerability
CVE Number : N/A (not assigned)
Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
also be affected)
Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/
Issue Status : v3.0.6/2.6.6 was released which fixes this issue
=============================================================================
Overview:
-----------------------------------------------------------------------------
CakePHP is an open-source web application framework for PHP.
CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
Request Forgery) attacks. Remote attacker can utilize it for at least
DoS (Denial of Service) attacks, if the target application accepts
XML as an input. It is caused by insecure design of Cake's Xml class.
Details:
-----------------------------------------------------------------------------
Here is an abstract from Cake\Utility\Xml.php (v3.0.3).
96: public static function build($input, array $options = [])
97: {
....
104: if (is_array($input) || is_object($input)) {
105: return static::fromArray($input, $options);
106: }
107:
108: if (strpos($input, '<') !== false) {
109: return static::_loadXml($input, $options);
110: }
111:
112: if (file_exists($input)) {
113: return static::_loadXml(file_get_contents($input), $options);
114: }
The problematic part is line 112-114, where $input is treated as a
URL (file path) and the method tries to fetch the content of the URL,
if it does not contain any '<' character.
Therefore, if values such as those shown below are given to it,
the application will block.
1. file:///dev/random
-> blocks permanently (until so much entropy supplied)
2. /dev/urandom
-> blocks until hitting memory limit
3. ftp://very_slow_host/a
-> blocks until socket timeout
Attackers can exhaust MaxClients (on Apache), just by sending
the number of requests with these values instead of normal XML.
CakePHP seems to accept XML inputs when RequestHandlerComponent,
which is designed to handle XHR requests that may contain XML or
JSON in their body, is enabled.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/controllers/components/request-handling.html
When the component is enabled and a request has necessary headers
(Content-Type and X-Requested-With), raw body of the request is
passed to Xml::build() directly (i.e. without validation), which
can obviously be used for attacks.
However, it seems hard to successfully conduct other types of
attack than DoS, because there are some hurdles for attackers.
Firstly, usual web applications are unlikely to return the full
request data. This means there is very little opportunity for file
theft attacks, regardless of whether the target file is XML or not.
The second hurdle is file_exists() check in line 112, which results
in URLs with interesting schemes like "expect" and "http" being
rejected.
But still DoS and timing attacks like internal network scan using
ftp URL's are possible. Additionally, in CakePHP v2, attackers can
also use http(s) URLs for such attacks, as Cake2 accepts URLs with
these schemes.
Timeline:
-----------------------------------------------------------------------------
2015/05/27 Reported to CakePHP Security ML
2015/05/29 Vender announced v3.0.6 & 2.6.6
2015/10/15 Disclosure of this advisory
Recommendation:
-----------------------------------------------------------------------------
Upgrading to the latest versions is recommended, if your app
accepts XML data, as stated in the release note.
https://github.com/cakephp/cakephp/releases/tag/3.0.6
One thing I think should be noted is that the default behavior
of the method (Xml::build()) was kept as it had been, in order to
avoid compatibility problems.
https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0
This means you need to modify your program, if you pass untrusted
data to the method in your own program code to deal with XML.
Technically, specifying a newly created option (readFile = false)
for the method disables URL loading feature, thus can prevent DoS
and other relevant attacks. See the URL above (github commit log)
for details.
--
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/