Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02N2M2LXE0ajQtaGNjZ84AA1WM
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Impact
The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the intervention/image
package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack.
Patches
This has been patched in Flarum v1.8.
Workarounds
As a temporary workaround for the SSRF aspect of the vulnerability, one can disable PHP's allow_url_fopen
which will prevent the fetching of external files via URLs.
Credits
Adam Kues - Assetnote
Permalink: https://github.com/advisories/GHSA-67c6-q4j4-hccgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02N2M2LXE0ajQtaGNjZ84AA1WM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-67c6-q4j4-hccg, CVE-2023-40033
References:
- https://github.com/flarum/framework/security/advisories/GHSA-67c6-q4j4-hccg
- https://nvd.nist.gov/vuln/detail/CVE-2023-40033
- https://github.com/flarum/framework/commit/d1059c1cc79fe61f9538f3da55e8f42abbede570
- https://github.com/advisories/GHSA-67c6-q4j4-hccg
Blast Radius: 22.1
Affected Packages
packagist:flarum/framework
Dependent packages: 0Dependent repositories: 0
Downloads: 335 total
Affected Version Ranges: < 1.8.0
Fixed in: 1.8.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1
All unaffected versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.5
packagist:flarum/core
Dependent packages: 1,429Dependent repositories: 1,301
Downloads: 830,348 total
Affected Version Ranges: < 1.8.0
Fixed in: 1.8.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2
All unaffected versions: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5