Voozh

Flarum vulnerable to LFI and Blind SSRF via Avatar upload

High severity GitHub Reviewed Published in flarum/framework • Updated

Package

flarum/core (Composer)

Affected versions

< 1.8.0

Patched versions

1.8.0

flarum/framework (Composer)

< 1.8.0

1.8.0

Description

Impact

The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the intervention/image package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack.

Patches

This has been patched in Flarum v1.8.

Workarounds

As a temporary workaround for the SSRF aspect of the vulnerability, one can disable PHP's allow_url_fopen which will prevent the fetching of external files via URLs.

Credits

Adam Kues - Assetnote

References

👁 @SychO9
SychO9 published to flarum/framework

Published to the GitHub Advisory Database

Reviewed

Published by the National Vulnerability Database

Last updated

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS score

(34th percentile)

Weaknesses

CVE ID

CVE-2023-40033

GHSA ID

GHSA-67c6-q4j4-hccg

Source code

flarum/framework

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-67c6-q4j4-hccg

⇱ Flarum vulnerable to LFI and Blind SSRF via Avatar upload · CVE-2023-40033 · GitHub Advisory Database · GitHub