** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-9088
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1394820 Title: SSRF in external feed Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Committed Bug description: SSRF [1] (Server Side Request Forgery) is a vulnerability allowing requests to be made from the context of the server. This could allow an attacker to gain access to previously unknown data. The vulnerability is present in the external feeds block. Steps to reproduce: 1. Create a new "External feeds block" 2. Configure the block. 3. Use the "Feed location" input to exploit the vulnerability. Possible exploits: - Port scanning, by using http://localhost:1/ through to http://localhost:65535/. Example responses: * Port closed: "The feed appears to be invalid. The error reported was: Failed to connect to localhost port 23: Connection refused" * Port open, but not HTTP: "The feed appears to be invalid. The error reported was: Recv failure: Connection reset by peer" * Port open, but HTTP: "The feed appears to be invalid. The error reported was: Invalid input: this is not valid XML" - Local network scan, using http://192.168.0.1/ to http://192.168.255.254 and other ranges: * Either by one of the above error messages, or timing attacks. - Local DNS scan, using random dns entries: * No dns entry gives: "The feed appears to be invalid. The error reported was: Could not resolve host: ..." * valid dns entry would give an output as above. You could also use this vulnerability to perform attacks on internal systems with vulnerabilities exploitable only with GET requests, such as SQLi in query strings. Limitations: - On demo site, outbound traffic seems to only allow port 80 (maybe more, but not 81 and 22 which I tested). This may not be an issue on other mahara instances. My recommendations would be: - Disallow localhost, and any RFC1914 ip's (private LAN) - Disallow unusual ports - Rate limit requests - Don't follow redirects to localhost and/or local LAN IP's, either via HTTP redirects, or DNS records. (example of <?php header('Location: http://localhost:22'); ?>, or http://testing.allthethings.co.nz:22/ which resolves to 127.0.0.1). Hope that helps, let me know if there are any questions. Cheers, Hugh [1] http://www.acunetix.com/blog/articles/server-side-request-forgery- vulnerability/ To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1394820/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
