#phpThumb 'phpThumbDebug' Server Side Request Forgery
#Google Dork: inurl:phpThumb.php
#Author: Rafay Baloch And Deepanker Arora
#Company: RHA InfoSEC
#Impact: High
#Vendor: http://phpthumb.sourceforge.net/#download
#Version: 1.7.12
#Status: Reported And Fixed

===========
Description
===========

A server side request forgery is not a single vulnerability, however it
represents different classes of vulnerability. In a server side request
forgery an attaker creates forged packets to communicate with the
intra/internet by using the vulnerable server as a pivot point. Several
other different attacks can be performed, however we will keep it at a
basic level for a better understanding.

===========
Explanation
===========

The debug mode in phpThumb was introduced for trouble shooting purposes,
however the debug mode when turned can result in a server side request
forgery. By exploiting it a SSRF vulnerability an attacker may be able to
scan local or remote ports, fingerprint services etc. Let's take a look at
the piece of code responsible for fetching an external image:

if ($rawImageData = phpthumb_functions::SafeURLread($phpThumb->src, $error,
$phpThumb->config_http_fopen_timeout,

$phpThumb->config_http_follow_redirect)) {
        $phpThumb->DebugMessage('SafeURLread('.$phpThumb->src.')
succeeded'.($error ? ' with messsages: "'.$error.'"' :

''), __FILE__, __LINE__);
        $phpThumb->DebugMessage('Setting source data from URL
"'.$phpThumb->src.'"', __FILE__, __LINE__);
        $phpThumb->setSourceData($rawImageData, urlencode($phpThumb->src));
    } else {
        $phpThumb->ErrorImage($error);
    }
}
 if ($rawImageData = phpthumb_functions::SafeURLread($_GET['src'], $error,
$phpThumb->config_http_fopen_timeout,

$phpThumb->config_http_follow_redirect)) {
            $md5s = md5($rawImageData);
        }

The above code is responsible for fetching an external image file with the
"src" parameter. The code doesn't checks if the image retrived is actually
a valid image. Therefore, under debug mode set to "True" it would display
the error message received from the lower layer network sockets which would
enable an attacker to launch a server side request forgery attack.

Furthurmore, I noticed that there was a validation being perfomed for
protocols such as file://.

if (preg_match('#^(f|ht)tp\://#i', $phpThumb->src)) {

However, this doesn't prevent this attack completly, as an attacker may be
able to leverage other protocols such as gopher://, dict:// etc in order to
exploit this vulnerability.

Proof of Concept
================

Scanme.nmap.org has known ports 22, 80 and 25 open, In case where the
server errors are turned on, there would be a  distinct response by probing
open ports vs closed ports.

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:22&phpThumbDebug=9//
Open Port

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:80&phpThumbDebug=9//
Open port

http://site.com/phpthumb/phpThumb.php?h=32&w=32&src=http://scanme.nmap.org:1337&phpThumbDebug=9//
Closed port

Remedy
======

It is recommended to turn off the "debug" mode. The debug mode can be
modfying by changing the following lines inside the php code.

"$PHPTHUMB_CONFIG['disable_debug']= false;"

With:

"$PHPTHUMB_CONFIG['disable_debug']= true;".


Fix
===

1) The authors explicitly disabled all other protocols then http/https/ftp
protocols. This minimizes few of the attack vectors.

https://github.com/JamesHeinrich/phpThumb/commit/457a37d4a22ac9cdbbfe19577376622e58df81b0

2) The debug_mode has been disabled and the "High Security Mode" has been
enabled by default in version phpThumb 1.7.12. Take a look at the author's
note:

3) Further security improvements are to be done in the future versions.

References
==========

http://www.rafayhackingarticles.net/2013/11/phpthumb-server-side-request-forgery.html