phpThumb 1.7.12 Server Side Request Forgery

Type packetstorm
Reporter Rafay Baloch
Modified 2013-12-02T00:00:00


                                            `#phpThumb 'phpThumbDebug' Server Side Request Forgery  
#Google Dork: inurl:phpThumb.php  
#Author: Rafay Baloch And Deepanker Arora  
#Company: RHA InfoSEC  
#Impact: High  
#Version: 1.7.12  
#Status: Reported And Fixed  
A server side request forgery is not a single vulnerability, however it  
represents different classes of vulnerability. In a server side request  
forgery an attaker creates forged packets to communicate with the  
intra/internet by using the vulnerable server as a pivot point. Several  
other different attacks can be performed, however we will keep it at a  
basic level for a better understanding.  
The debug mode in phpThumb was introduced for trouble shooting purposes,  
however the debug mode when turned can result in a server side request  
forgery. By exploiting it a SSRF vulnerability an attacker may be able to  
scan local or remote ports, fingerprint services etc. Let's take a look at  
the piece of code responsible for fetching an external image:  
if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error,  
$phpThumb->config_http_follow_redirect)) {  
succeeded'.($error ? ' with messsages: "'.$error.'"' :  
''), __FILE__, __LINE__);  
$phpThumb->DebugMessage('Setting source data from URL  
"'.$phpThumb->src.'"', __FILE__, __LINE__);  
$phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));  
} else {  
if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error,  
$phpThumb->config_http_follow_redirect)) {  
$md5s = md5($rawImageData);  
The above code is responsible for fetching an external image file with the  
"src" parameter. The code doesn't checks if the image retrived is actually  
a valid image. Therefore, under debug mode set to "True" it would display  
the error message received from the lower layer network sockets which would  
enable an attacker to launch a server side request forgery attack.  
Furthurmore, I noticed that there was a validation being perfomed for  
protocols such as file://.  
if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {  
However, this doesn't prevent this attack completly, as an attacker may be  
able to leverage other protocols such as gopher://, dict:// etc in order to  
exploit this vulnerability.  
Proof of Concept  
================ has known ports 22, 80 and 25 open, In case where the  
server errors are turned on, there would be a distinct response by probing  
open ports vs closed ports.  
Open Port  
Open port  
Closed port  
It is recommended to turn off the "debug" mode. The debug mode can be  
modfying by changing the following lines inside the php code.  
"$PHPTHUMB_CONFIG['disable_debug']= false;"  
"$PHPTHUMB_CONFIG['disable_debug']= true;".  
1) The authors explicitly disabled all other protocols then http/https/ftp  
protocols. This minimizes few of the attack vectors.  
2) The debug_mode has been disabled and the "High Security Mode" has been  
enabled by default in version phpThumb 1.7.12. Take a look at the author's  
3) Further security improvements are to be done in the future versions.