what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpThumb 1.7.12 Server Side Request Forgery

phpThumb 1.7.12 Server Side Request Forgery
Posted Dec 2, 2013
Authored by Rafay Baloch, Deepankar Arora

phpThumb version 1.7.12 allows for arbitrary request forgery server-side that can be used maliciously.

tags | exploit, arbitrary
SHA-256 | e913a843b81d9d2b74184a8e642eab8b19aa74dddc1489ee2c4b3c63fb7f54b4

phpThumb 1.7.12 Server Side Request Forgery

Change Mirror Download
#phpThumb 'phpThumbDebug' Server Side Request Forgery
#Google Dork: inurl:phpThumb.php
#Author: Rafay Baloch And Deepanker Arora
#Company: RHA InfoSEC
#Impact: High
#Vendor: http://phpthumb.sourceforge.net/#download
#Version: 1.7.12
#Status: Reported And Fixed

===========
Description
===========

A server side request forgery is not a single vulnerability, however it
represents different classes of vulnerability. In a server side request
forgery an attaker creates forged packets to communicate with the
intra/internet by using the vulnerable server as a pivot point. Several
other different attacks can be performed, however we will keep it at a
basic level for a better understanding.

===========
Explanation
===========

The debug mode in phpThumb was introduced for trouble shooting purposes,
however the debug mode when turned can result in a server side request
forgery. By exploiting it a SSRF vulnerability an attacker may be able to
scan local or remote ports, fingerprint services etc. Let's take a look at
the piece of code responsible for fetching an external image:

if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error,
$phpThumb->config_http_fopen_timeout,

$phpThumb->config_http_follow_redirect)) {
$phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.')
succeeded'.($error ? ' with messsages: "'.$error.'"' :

''), __FILE__, __LINE__);
$phpThumb->DebugMessage('Setting source data from URL
"'.$phpThumb->src.'"', __FILE__, __LINE__);
$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
} else {
$phpThumb->ErrorImage($error);
}
}
if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error,
$phpThumb->config_http_fopen_timeout,

$phpThumb->config_http_follow_redirect)) {
$md5s = md5($rawImageData);
}

The above code is responsible for fetching an external image file with the
"src" parameter. The code doesn't checks if the image retrived is actually
a valid image. Therefore, under debug mode set to "True" it would display
the error message received from the lower layer network sockets which would
enable an attacker to launch a server side request forgery attack.

Furthurmore, I noticed that there was a validation being perfomed for
protocols such as file://.

if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {

However, this doesn't prevent this attack completly, as an attacker may be
able to leverage other protocols such as gopher://, dict:// etc in order to
exploit this vulnerability.

Proof of Concept
================

Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the
server errors are turned on, there would be a distinct response by probing
open ports vs closed ports.

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:22&phpThumbDebug=9//
Open Port

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:80&phpThumbDebug=9//
Open port

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:1337&phpThumbDebug=9//
Closed port

Remedy
======

It is recommended to turn off the "debug" mode. The debug mode can be
modfying by changing the following lines inside the php code.

"$PHPTHUMB_CONFIG['disable_debug']= false;"

With:

"$PHPTHUMB_CONFIG['disable_debug']= true;".


Fix
===

1) The authors explicitly disabled all other protocols then http/https/ftp
protocols. This minimizes few of the attack vectors.

https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0

2) The debug_mode has been disabled and the "High Security Mode" has been
enabled by default in version phpThumb 1.7.12. Take a look at the author's
note:

3) Further security improvements are to be done in the future versions.

References
==========

http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close