CakePHP 3.0.5 XML Class SSRF
Posted on 16 October 2015
============================================================================= Title : CakePHP Xml class SSRF Vulnerability CVE Number : N/A (not assigned) Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may also be affected) Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc. http://www.mbsd.jp/ Issue Status : v3.0.6/2.6.6 was released which fixes this issue ============================================================================= Overview: ----------------------------------------------------------------------------- CakePHP is an open-source web application framework for PHP. CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side Request Forgery) attacks. Remote attacker can utilize it for at least DoS (Denial of Service) attacks, if the target application accepts XML as an input. It is caused by insecure design of Cake's Xml class. Details: ----------------------------------------------------------------------------- Here is an abstract from CakeUtilityXml.php (v3.0.3). 96: public static function build($input, array $options = []) 97: { .... 104: if (is_array($input) || is_object($input)) { 105: return static::fromArray($input, $options); 106: } 107: 108: if (strpos($input, '<') !== false) { 109: return static::_loadXml($input, $options); 110: } 111: 112: if (file_exists($input)) { 113: return static::_loadXml(file_get_contents($input), $options); 114: } The problematic part is line 112-114, where $input is treated as a URL (file path) and the method tries to fetch the content of the URL, if it does not contain any '<' character. Therefore, if values such as those shown below are given to it, the application will block. 1. file:///dev/random -> blocks permanently (until so much entropy supplied) 2. /dev/urandom -> blocks until hitting memory limit 3. ftp://very_slow_host/a -> blocks until socket timeout Attackers can exhaust MaxClients (on Apache), just by sending the number of requests with these values instead of normal XML. CakePHP seems to accept XML inputs when RequestHandlerComponent, which is designed to handle XHR requests that may contain XML or JSON in their body, is enabled. http://book.cakephp.org/3.0/en/development/rest.html http://book.cakephp.org/3.0/en/controllers/components/request-handling.html When the component is enabled and a request has necessary headers (Content-Type and X-Requested-With), raw body of the request is passed to Xml::build() directly (i.e. without validation), which can obviously be used for attacks. However, it seems hard to successfully conduct other types of attack than DoS, because there are some hurdles for attackers. Firstly, usual web applications are unlikely to return the full request data. This means there is very little opportunity for file theft attacks, regardless of whether the target file is XML or not. The second hurdle is file_exists() check in line 112, which results in URLs with interesting schemes like "expect" and "http" being rejected. But still DoS and timing attacks like internal network scan using ftp URL's are possible. Additionally, in CakePHP v2, attackers can also use http(s) URLs for such attacks, as Cake2 accepts URLs with these schemes. Timeline: ----------------------------------------------------------------------------- 2015/05/27 Reported to CakePHP Security ML 2015/05/29 Vender announced v3.0.6 & 2.6.6 2015/10/15 Disclosure of this advisory Recommendation: ----------------------------------------------------------------------------- Upgrading to the latest versions is recommended, if your app accepts XML data, as stated in the release note. https://github.com/cakephp/cakephp/releases/tag/3.0.6 One thing I think should be noted is that the default behavior of the method (Xml::build()) was kept as it had been, in order to avoid compatibility problems. https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0 This means you need to modify your program, if you pass untrusted data to the method in your own program code to deal with XML. Technically, specifying a newly created option (readFile = false) for the method disables URL loading feature, thus can prevent DoS and other relevant attacks. See the URL above (github commit log) for details. -- Takeshi Terada Mitsui Bussan Secure Directions, Inc. http://www.mbsd.jp/
