← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #22662

[Bug 1394820] Re: SSRF in external feed

  Thread PreviousDate PreviousThread Next 
** Changed in: mahara/1.9
       Status: Fix Committed => Fix Released

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1394820

Title:
  SSRF in external feed

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  SSRF [1] (Server Side Request Forgery) is a vulnerability allowing
  requests to be made from the context of the server. This could allow
  an attacker to gain access to previously unknown data.

  The vulnerability is present in the external feeds block. Steps to
  reproduce:

  1. Create a new "External feeds block"
  2. Configure the block.
  3. Use the "Feed location" input to exploit the vulnerability.
  Possible exploits:
  - Port scanning, by using http://localhost:1/ through to http://localhost:65535/. Example responses:
    * Port closed: "The feed appears to be invalid. The error reported was: Failed to connect to localhost port 23: Connection refused"
    * Port open, but not HTTP: "The feed appears to be invalid. The error reported was: Recv failure: Connection reset by peer"
    * Port open, but HTTP: "The feed appears to be invalid. The error reported was: Invalid input: this is not valid XML"
  - Local network scan, using http://192.168.0.1/ to http://192.168.255.254 and other ranges:
    * Either by one of the above error messages, or timing attacks.
  - Local DNS scan, using random dns entries:
    * No dns entry gives: "The feed appears to be invalid. The error reported was: Could not resolve host: ..."
    * valid dns entry would give an output as above.

  You could also use this vulnerability to perform attacks on internal systems with
  vulnerabilities exploitable only with GET requests, such as SQLi in query strings.

  Limitations:
  - On demo site, outbound traffic seems to only allow port 80 (maybe more, but not 81 and 22 which I tested). This may not be an issue on other mahara instances.

  My recommendations would be:
  - Disallow localhost, and any RFC1914 ip's (private LAN)
  - Disallow unusual ports
  - Rate limit requests
  - Don't follow redirects to localhost and/or local LAN IP's, either
  via HTTP redirects, or DNS records. (example of <?php header('Location: http://localhost:22'); ?>, or http://testing.allthethings.co.nz:22/ which resolves to 127.0.0.1).

  Hope that helps, let me know if there are any questions.

  Cheers,

  Hugh

  [1] http://www.acunetix.com/blog/articles/server-side-request-forgery-
  vulnerability/

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1394820/+subscriptions
  Thread PreviousDate PreviousThread Next