揭开未打补丁的WordPress SSRF漏洞研究中隐藏的危险

Introduction – Exploring the Unknown: Beneath the Surface of Unpatched WordPress SSRF

In the ever-evolving landscape of cybersecurity, WordPress remains a popular target due to its widespread usage and extensive plugin ecosystem. While the WordPress core is generally secure, vulnerabilities often arise from third-party plugins and themes. One such vulnerability that has garnered attention is the Server-Side Request Forgery (SSRF) vulnerability. In this blog post, we will delve into the intricacies of the unpatched WordPress SSRF vulnerability, its implications, and how WP-Firewall can help protect your WordPress site from such threats.

## The Root Cause: wp_http_validate_url()

In September 2022, SonarSource published an advisory on an unpatched WordPress Core Unauthenticated Blind SSRF. The root cause of this vulnerability lies in the `wp_http_validate_url()` function, which is susceptible to DNS rebinding attacks. While the WordPress core itself is not directly affected, plugins that utilize this vulnerable function are at risk.

Understanding wp_http_validate_url()

The `wp_http_validate_url()` function is designed to validate URLs to prevent redirection and request forgery attacks. However, it falls short in protecting against DNS rebinding attacks, making it a potential vector for SSRF vulnerabilities. This function is often used in conjunction with `wp_remote_get()` and its safer alternative, `wp_safe_remote_get()`.

The Obvious Part: wp_remote_get() and wp_safe_remote_get()

The `wp_remote_get()` function is commonly used to request remote hosts through the server. However, it is well-known that passing user-input URLs into this function can lead to SSRF vulnerabilities. To mitigate this risk, WordPress introduced `wp_safe_remote_get()`, which includes additional validations to prevent SSRF attacks.

How Safe is wp_safe_remote_get()?

The `wp_safe_remote_get()` function is designed to be a safer alternative to `wp_remote_get()`. According to the official WordPress documentation:

"This function is ideal when the HTTP request is being made to an arbitrary URL. The URL is validated to avoid redirection and request forgery attacks."

However, the function's safety is limited by the underlying `wp_http_validate_url()` function, which, as mentioned earlier, is vulnerable to DNS rebinding attacks.

Diving into the Function

The source code for `wp_safe_remote_get()` is as follows:

php
function wp_safe_remote_get( $url, $args = array() ) {
    $args['reject_unsafe_urls'] = true;
    $http = _wp_http_get_object();
    return $http->get( $url, $args );
}

On line 2, the `$args['reject_unsafe_urls']` parameter is set to `true`, which eventually passes the user input to the `wp_http_validate_url()` function before requesting the URL. Since `wp_http_validate_url()` is vulnerable to DNS rebinding attacks, any function relying solely on it for validation is also vulnerable.

Limitations of the Vulnerability

While this is not a full-fledged SSRF, there are limitations set by the `wp_http_validate_url()` function:

– The protocol must be either `http://` or `https://`
– The port can only be one of 80, 443, or 8080

Despite these limitations, requesting internal hosts within these boundaries is possible through this SSRF.

Vulnerable Plugin Code

Here are some examples of vulnerable plugin code:

Non-blind SSRF

php
<?php
require_once('wp-load.php');
$url = $_GET['url'];
$response = wp_safe_remote_get( $url );
$response = wp_remote_retrieve_body( $response );
echo $response;
?>

If the plugin takes user input, passes it to the `wp_safe_remote_get()` function, and then displays the response, it is vulnerable to non-blind limited SSRF.

Blind SSRF

php
<?php
require_once('wp-load.php');
$url = $_GET['url'];
$response = wp_safe_remote_get( $url );
$response_code = wp_remote_retrieve_response_code( $response );
if ($response_code == 200) {
    echo "Up and running";
} else {
    echo "Down or not found!";
}
?>

If the plugin passes user input to `wp_safe_remote_get()` but only returns the response code/status, it is vulnerable to blind SSRF, limiting the impact to port-scanning of ports 80, 443, or 8080 of any internal host.

Attack Demonstration

To demonstrate this vulnerability, we performed an attack on an Apache server running WordPress on port 80 and a PHP server running on localhost:8080 with some secret information. The vulnerable code was inserted in the plugin directory `/wp-content/plugins/vulnerable-plugin/index.php`.

GitHub Repository

You can find a vulnerable Docker instance and the exploit script to play with on this vulnerability in this GitHub repository. Credit: Ananda Dhakal

## More Vulnerable Functions

The same vulnerability applies to other functions that rely on `wp_http_validate_url()` for validation:

– `wp_safe_remote_request()`
– `wp_safe_remote_post()`
– `wp_safe_remote_head()`

Additionally, some functions act as wrappers for `wp_safe_remote_get()` and are also vulnerable to some extent:

– `WP_REST_URL_Details_Controller::get_remote_url()`
– `download_url()`
– `wp_remote_fopen()`
– `WP_oEmbed::discover()`

结论

It is evident that functions considered safe and designed to protect against SSRF vulnerabilities are not entirely foolproof. The reliance on `wp_http_validate_url()`, which is vulnerable to DNS rebinding attacks, exposes WordPress sites to potential SSRF attacks. We urge the WordPress Core team to address this issue and release a patch to enhance the security of the platform.

WP-Firewall 如何提供帮助

At WP-Firewall, we understand the critical importance of securing your WordPress site against emerging threats. Our comprehensive security solutions are designed to provide robust protection against a wide range of vulnerabilities, including SSRF attacks. Here’s how WP-Firewall can help safeguard your WordPress site:

Real-Time Threat Detection

WP-Firewall offers real-time threat detection capabilities that monitor your site for suspicious activities and potential vulnerabilities. Our advanced algorithms can identify and block SSRF attempts, ensuring your site remains secure.

Regular Security Audits

Our team of security experts conducts regular audits of your WordPress site and its plugins to identify and address vulnerabilities. By staying ahead of potential threats, we help you maintain a secure environment for your users.

Automated Patch Management

保持 WordPress 核心、主题和插件最新对于安全至关重要。 WP-Firewall 提供自动补丁管理，确保站点的所有组件都使用最新的安全补丁进行更新。

自定义防火墙规则

WP-Firewall 允许您创建适合您的特定需求的自定义防火墙规则。通过实施阻止恶意请求和未经授权的访问尝试的规则，您可以增强站点的安全性。

综合报告

我们详细的安全报告可深入了解检测到的威胁以及为保护您的网站而采取的措施。借助 WP-Firewall，您可以随时了解 WordPress 网站的安全状态。

使用 WP 防火墙防御 SSRF

为了专门解决 SSRF 漏洞，WP-Firewall 提供了以下功能：

输入验证

WP-Firewall 执行严格的输入验证，以确保用户提供的 URL 安全且无恶意。通过在多个级别验证输入，我们可以防止 SSRF 攻击利用易受攻击的功能。

DNS 重新绑定保护

我们的防火墙包含 DNS 重新绑定保护机制，可检测并阻止利用 DNS 重新绑定漏洞的尝试。即使“wp_http_validate_url()”等底层函数容易受到攻击，这也可以确保您的网站保持安全。

安全 API 请求

WP-Firewall 通过执行严格的验证和身份验证措施来保护 API 请求。这可以防止未经授权的访问并降低针对 API 端点的 SSRF 攻击的风险。

持续监控

我们的持续监控功能会密切关注您网站的流量和活动。任何可疑行为都会被及时标记并解决，从而最大限度地降低 SSRF 攻击成功的风险。

呼吁采取行动

虽然未修补的 WordPress SSRF 漏洞会带来重大风险，但主动措施可以减轻其影响。通过利用 WP-Firewall 的全面安全解决方案，您可以保护您的 WordPress 网站免受 SSRF 攻击和其他新兴威胁。使用 WP-Firewall 领先于潜在漏洞并确保为您的用户提供安全的环境。

不要等到出现安全漏洞才采取行动。立即使用 WP-Firewall 保护您的 WordPress 网站。 开始你的免费试用 并体验强大的实时保护所带来的安心。

有关 WP-Firewall 如何帮助保护您的 WordPress 网站的更多信息，请访问我们的 网站 或联系我们的支持团队。

确保安全，保持安全，并使用 WP-Firewall 保护您的 WordPress 网站。

—

每周安全建议

将最新的 WordPress 安全情报发送到您的收件箱。 订阅我们的新闻 并随时了解最新的威胁和保护 WordPress 网站的最佳实践。

最新的安全建议

查看所有最新的安全建议，并及时了解影响 WordPress 插件和主题的关键漏洞。

– 2024 年 5 月 19 日： WordPress漏洞报告（2024年5月6日至2024年5月12日）
– 2024 年 5 月 15 日： Uncode 核心插件中修复的高优先级漏洞