Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =============================================================================
- Title : CakePHP Xml class SSRF Vulnerability
- CVE Number : N/A (not assigned)
- Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
- also be affected)
- Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
- http://www.mbsd.jp/
- Issue Status : v3.0.6/2.6.6 was released which fixes this issue
- =============================================================================
- Overview:
- -----------------------------------------------------------------------------
- CakePHP is an open-source web application framework for PHP.
- CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
- Request Forgery) attacks. Remote attacker can utilize it for at least
- DoS (Denial of Service) attacks, if the target application accepts
- XML as an input. It is caused by insecure design of Cake's Xml class.
- Details:
- -----------------------------------------------------------------------------
- Here is an abstract from Cake\Utility\Xml.php (v3.0.3).
- 96: public static function build($input, array $options = [])
- 97: {
- ....
- 104: if (is_array($input) || is_object($input)) {
- 105: return static::fromArray($input, $options);
- 106: }
- 107:
- 108: if (strpos($input, '<') !== false) {
- 109: return static::_loadXml($input, $options);
- 110: }
- 111:
- 112: if (file_exists($input)) {
- 113: return static::_loadXml(file_get_contents($input), $options);
- 114: }
- The problematic part is line 112-114, where $input is treated as a
- URL (file path) and the method tries to fetch the content of the URL,
- if it does not contain any '<' character.
- Therefore, if values such as those shown below are given to it,
- the application will block.
- 1. file:///dev/random
- -> blocks permanently (until so much entropy supplied)
- 2. /dev/urandom
- -> blocks until hitting memory limit
- 3. ftp://very_slow_host/a
- -> blocks until socket timeout
- Attackers can exhaust MaxClients (on Apache), just by sending
- the number of requests with these values instead of normal XML.
- CakePHP seems to accept XML inputs when RequestHandlerComponent,
- which is designed to handle XHR requests that may contain XML or
- JSON in their body, is enabled.
- http://book.cakephp.org/3.0/en/development/rest.html
- http://book.cakephp.org/3.0/en/controllers/components/request-handling.html
- When the component is enabled and a request has necessary headers
- (Content-Type and X-Requested-With), raw body of the request is
- passed to Xml::build() directly (i.e. without validation), which
- can obviously be used for attacks.
- However, it seems hard to successfully conduct other types of
- attack than DoS, because there are some hurdles for attackers.
- Firstly, usual web applications are unlikely to return the full
- request data. This means there is very little opportunity for file
- theft attacks, regardless of whether the target file is XML or not.
- The second hurdle is file_exists() check in line 112, which results
- in URLs with interesting schemes like "expect" and "http" being
- rejected.
- But still DoS and timing attacks like internal network scan using
- ftp URL's are possible. Additionally, in CakePHP v2, attackers can
- also use http(s) URLs for such attacks, as Cake2 accepts URLs with
- these schemes.
- Timeline:
- -----------------------------------------------------------------------------
- 2015/05/27 Reported to CakePHP Security ML
- 2015/05/29 Vender announced v3.0.6 & 2.6.6
- 2015/10/15 Disclosure of this advisory
- Recommendation:
- -----------------------------------------------------------------------------
- Upgrading to the latest versions is recommended, if your app
- accepts XML data, as stated in the release note.
- https://github.com/cakephp/cakephp/releases/tag/3.0.6
- One thing I think should be noted is that the default behavior
- of the method (Xml::build()) was kept as it had been, in order to
- avoid compatibility problems.
- https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0
- This means you need to modify your program, if you pass untrusted
- data to the method in your own program code to deal with XML.
- Technically, specifying a newly created option (readFile = false)
- for the method disables URL loading feature, thus can prevent DoS
- and other relevant attacks. See the URL above (github commit log)
- for details.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement