===================================================
Server-Sided Request Forgery:
===================================================

Both the current SMF version, and the upcoming (Alpha) release are vulnerable to SSRF. In many instances, this can be pivoted to achieve server-sided code exec. In cases where pivoting to RCE is not a possibility, this can still be used for XSPA, probing internal services, (sometimes) LFD, and other risks associated with generic SSRF. These vulnerabilites can be found in the input forms for remote avatars (where you can fetch your profile pic from a remote URL). The current version of SMF has no sanitization present whatsoever to protect against this. Below is the vulnerable code:


 [ ... ] @ Subs-Package.php L2883 - Calls cURL

            elseif (isset($match[1]) && substr($match[1], 0, 4) === 'http' && function_exists('curl_init'))
            {
                // Include the file containing the curl_fetch_web_data class.
                loadClassFile('Class-CurlFetchWeb.php');
                $fetch_data = new curl_fetch_web_data();
                $fetch_data->get_url_data($url, $post_data);


It moves the user-inputted data into a cURL request with no input validation or anything of the sort being applied. The upcoming Alpha relase (2.1x) has extra protections in place. It checks for ports when called with fsockopen(); - falling back to a cURL request if failure has no port checks. Redirects are also set to 0, but a crafted response makes the script repreat the function with redirect incremented by 1 (maximum of 3) making 301 redirection viable again.


        [ ... ] @ Subs.php L5163 - Repeat function with redirect level incremented

            // Redirect in case this location is permanently or temporarily moved.
            if ($redirection_level < 3 && preg_match('~^HTTP/\S+\s+30[127]~i', $response) === 1)
            {
                $header = '';
                $location = '';

                while (!feof($fp) && trim($header = fgets($fp, 4096)) != '')
                    if (strpos($header, 'location:') !== false)
                        $location = trim(substr($header, strpos($header, ':') + 1));

                if (empty($location))
                    return false;
                else
                {
                    if (!$keep_alive)
                        fclose($fp);
                    return fetch_web_data($location, $post_data, $keep_alive, $redirection_level + 1);
                }
            }