API tools faq
paste
Advertisement
moften

CakePHP Xml class SSRF Vulnerability

moften
Oct 16th, 2015
552
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.49 KB | None | 0 0
raw download clone embed print report
  1. =============================================================================
  2. Title : CakePHP Xml class SSRF Vulnerability
  3. CVE Number : N/A (not assigned)
  4. Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
  5. also be affected)
  6. Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
  7. http://www.mbsd.jp/
  8. Issue Status : v3.0.6/2.6.6 was released which fixes this issue
  9. =============================================================================
  10.  
  11. Overview:
  12. -----------------------------------------------------------------------------
  13. CakePHP is an open-source web application framework for PHP.
  14. CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
  15. Request Forgery) attacks. Remote attacker can utilize it for at least
  16. DoS (Denial of Service) attacks, if the target application accepts
  17. XML as an input. It is caused by insecure design of Cake's Xml class.
  18.  
  19. Details:
  20. -----------------------------------------------------------------------------
  21. Here is an abstract from Cake\Utility\Xml.php (v3.0.3).
  22.  
  23. 96: public static function build($input, array $options = [])
  24. 97: {
  25. ....
  26. 104: if (is_array($input) || is_object($input)) {
  27. 105: return static::fromArray($input, $options);
  28. 106: }
  29. 107:
  30. 108: if (strpos($input, '<') !== false) {
  31. 109: return static::_loadXml($input, $options);
  32. 110: }
  33. 111:
  34. 112: if (file_exists($input)) {
  35. 113: return static::_loadXml(file_get_contents($input), $options);
  36. 114: }
  37.  
  38. The problematic part is line 112-114, where $input is treated as a
  39. URL (file path) and the method tries to fetch the content of the URL,
  40. if it does not contain any '<' character.
  41.  
  42. Therefore, if values such as those shown below are given to it,
  43. the application will block.
  44.  
  45. 1. file:///dev/random
  46. -> blocks permanently (until so much entropy supplied)
  47.  
  48. 2. /dev/urandom
  49. -> blocks until hitting memory limit
  50.  
  51. 3. ftp://very_slow_host/a
  52. -> blocks until socket timeout
  53.  
  54. Attackers can exhaust MaxClients (on Apache), just by sending
  55. the number of requests with these values instead of normal XML.
  56.  
  57. CakePHP seems to accept XML inputs when RequestHandlerComponent,
  58. which is designed to handle XHR requests that may contain XML or
  59. JSON in their body, is enabled.
  60.  
  61. http://book.cakephp.org/3.0/en/development/rest.html
  62. http://book.cakephp.org/3.0/en/controllers/components/request-handling.html
  63.  
  64. When the component is enabled and a request has necessary headers
  65. (Content-Type and X-Requested-With), raw body of the request is
  66. passed to Xml::build() directly (i.e. without validation), which
  67. can obviously be used for attacks.
  68.  
  69. However, it seems hard to successfully conduct other types of
  70. attack than DoS, because there are some hurdles for attackers.
  71. Firstly, usual web applications are unlikely to return the full
  72. request data. This means there is very little opportunity for file
  73. theft attacks, regardless of whether the target file is XML or not.
  74. The second hurdle is file_exists() check in line 112, which results
  75. in URLs with interesting schemes like "expect" and "http" being
  76. rejected.
  77.  
  78. But still DoS and timing attacks like internal network scan using
  79. ftp URL's are possible. Additionally, in CakePHP v2, attackers can
  80. also use http(s) URLs for such attacks, as Cake2 accepts URLs with
  81. these schemes.
  82.  
  83. Timeline:
  84. -----------------------------------------------------------------------------
  85. 2015/05/27 Reported to CakePHP Security ML
  86. 2015/05/29 Vender announced v3.0.6 & 2.6.6
  87. 2015/10/15 Disclosure of this advisory
  88.  
  89. Recommendation:
  90. -----------------------------------------------------------------------------
  91. Upgrading to the latest versions is recommended, if your app
  92. accepts XML data, as stated in the release note.
  93.  
  94. https://github.com/cakephp/cakephp/releases/tag/3.0.6
  95.  
  96. One thing I think should be noted is that the default behavior
  97. of the method (Xml::build()) was kept as it had been, in order to
  98. avoid compatibility problems.
  99.  
  100. https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0
  101.  
  102. This means you need to modify your program, if you pass untrusted
  103. data to the method in your own program code to deal with XML.
  104. Technically, specifying a newly created option (readFile = false)
  105. for the method disables URL loading feature, thus can prevent DoS
  106. and other relevant attacks. See the URL above (github commit log)
  107. for details.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!