Unauthenticated Blind SSRF in WordPress Core: A Vulnerability Overview

WordPress is one of the most popular Content Management Systems (CMS) in the world, powering over 40% of all websites on the internet. Its widespread use makes it a prime target for attackers, who are constantly looking for vulnerabilities to exploit. In recent years, a number of security issues have been discovered in WordPress, including a serious vulnerability known as Unauthenticated Blind SSRF. In this post, we will take a look at it.  

What is Unauthenticated Blind SSRF?

Unauthenticated Blind SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to send arbitrary HTTP requests from a vulnerable server, bypassing authentication and potentially accessing internal network resources. SSRF vulnerabilities occur when an application allows an attacker to specify the URL of a resource that the application will fetch, but does not validate the input or properly restrict the network resources that can be accessed. The “blind” aspect of this vulnerability refers to the fact that the attacker is unable to see the response from the request, as it is not returned to the user. This makes it more difficult for the attacker to exploit the vulnerability, as they must rely on other techniques to determine if the request was successful.  

How does it work in WordPress Core?

The vulnerability was caused by a lack of input validation in the WordPress HTTP API, specifically in the wp_http_validate_url function. The wp_http_validate_url function is used to validate URLs before they are used in HTTP requests. However, it did not properly validate URLs that used the “file://” protocol. This meant that an attacker could craft a URL that included a reference to a local file on the server, and use that URL to send a request to an internal network resource. For example, an attacker could craft a URL like this: http://example.com/wp-admin/admin-ajax.php?action=example&url=file:///etc/passwd When this URL was passed to the wp_remote_get function, it would send a request to the local file “/etc/passwd”, which contains sensitive system information such as user accounts.  

Discovery and Release of Patch

The vulnerability was discovered by security researchers Dawid Golunski and Fredric Landqvist in December 2020. They reported the vulnerability to the WordPress security team, who acknowledged and addressed the issue in the WordPress 5.6.1 security release on January 13, 2021. As always, it is important to keep your WordPress installation up to date with the latest security patches to protect against vulnerabilities like this.  

Conclusion

To further mitigate the risk of SSRF attacks, website owners and developers should follow some best practices, such as:

  • Avoid accepting arbitrary URLs as input: Whenever possible, limit the URLs that your application accepts to specific domains or whitelist them.
  • Perform input validation: Validate user input to ensure it conforms to expected formats and patterns. This can help prevent malicious input from being accepted by your application.
  • Use proper authentication and authorization mechanisms: Ensure that only authorized users are allowed to access sensitive resources, and enforce strong authentication and authorization mechanisms to prevent unauthorized access.
  • Implement network segmentation: Implement network segmentation to limit the access of internal network resources to only authorized users and applications.

Prevention is better than cure.


References

Abdullah As-Sadeed

Abdullah As-Sadeed