What is the Server-side Request Forgery (SSRF) Vulnerability?
Server-side Request Forgery(SSRF) is an attack in which the attacker tricks the server into requesting another server on behalf of the attacker. This can be used to access internal resources that are not intended to be accessible from the outside or attack other servers.
SSRF is often used to exploit vulnerabilities in web applications that use user-supplied data to make requests to other servers, such as when requesting an external API. For example, suppose the web application does not properly validate or sanitize the user-supplied data. In that case, it may be possible for the attacker to send a request that the server will execute without the user's knowledge or consent.
In some cases, SSRF can bypass firewalls or access internal resources that are generally not accessible from the outside. For example, an attacker might be able to use SSRF to access a file on the server that is usually only accessible by the administrator or to request another server behind a firewall.
What are the WordPress Plugins?
WordPress plugins are what give WordPress incredible flexibility and power. Plugins are pieces of software that you can install on your WordPress site to add new features and functionality. There are literally thousands of plugins available, so there’s sure to be one that fits your needs.
The Skitter Slideshow plugin, where we found the SSRF vulnerability, is one of these plugins.
As a result of our researches, we detected a Server-side Request Forgery vulnerability in WordPress Skitter Slideshow Plugin version 2.5.2 via the "image" parameter in GET request sent to /image.php.
How Did We Detect Skitter Slideshow Plugin SSRF Vulnerability?
As the Security For Everyone team, we regularly look for vulnerabilities in the software we have chosen to find 0-day. For this, we decided to work on WordPress plugins. After reviewing WordPress plugins for a while, we focused on the Skitter Slideshow plugin.
We decided to manually examine the source codes of the application downloaded from GitHub after we saw that examining it with automatic source code analysis tools produced too many false positives.
As a result of our static and dynamic analyzes of the source code, we detected a SSRF vulnerability in "image" parameter sent to the image.php page.
We discovered that the vulnerability could be triggered when we sent the required SSRF payload to this vulnerable parameter.
Finally, we applied to Wordfence and got our CVE code.
How to prevent SSRF Vulnerability?
To prevent SSRF vulnerabilities, organizations should consider the following: