Headline
CVE-2023-40033: fix: improve avatar upload functionality · flarum/framework@d1059c1
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the intervention/image package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. This has been patched in Flarum version 1.8.0. Users are advised to upgrade. Users unable to upgrade may disable PHP’s allow_url_fopen which will prevent the fetching of external files via URLs as a temporary workaround for the SSRF aspect of the vulnerability.
Commit
Permalink
Browse files
Browse the repository at this point in the history
fix: improve avatar upload functionality
Signed-off-by: Sami Mazouz [email protected]
- Loading branch information
Showing 5 changed files with 5 additions and 5 deletions.
- AvatarEditor.js
- UploadFaviconController.php
- UploadLogoController.php
- AvatarValidator.php
- UploadAvatarHandler.php
2 changes: 1 addition & 1 deletion framework/core/js/src/forum/components/AvatarEditor.js
Expand Up
@@ -204,7 +204,7 @@ export default class AvatarEditor extends Component {
/**
* After a successful upload/removal, push the updated user data into the
* store, and force a recomputation of the user’s avatar color.
* store, and force a re-computation of the user’s avatar color.
*
* @param {object} response
* @protected
Expand Down
2 changes: 1 addition & 1 deletion framework/core/src/Api/Controller/UploadFaviconController.php
Expand Up
@@ -62,7 +62,7 @@ protected function makeImage(UploadedFileInterface $file): Image
]);
}
$encodedImage = $this->imageManager->make($file->getStream())->resize(64, 64, function ($constraint) {
$encodedImage = $this->imageManager->make($file->getStream()->getMetadata(‘uri’))->resize(64, 64, function ($constraint) {
$constraint->aspectRatio();
$constraint->upsize();
})->encode(‘png’);
Expand Down
2 changes: 1 addition & 1 deletion framework/core/src/Api/Controller/UploadLogoController.php
Expand Up
@@ -38,7 +38,7 @@ public function __construct(SettingsRepositoryInterface $settings, Factory $file
*/
protected function makeImage(UploadedFileInterface $file): Image
{
$encodedImage = $this->imageManager->make($file->getStream())->heighten(60, function ($constraint) {
$encodedImage = $this->imageManager->make($file->getStream()->getMetadata(‘uri’))->heighten(60, function ($constraint) {
$constraint->upsize();
})->encode(‘png’);
Expand Down
2 changes: 1 addition & 1 deletion framework/core/src/User/AvatarValidator.php
Expand Up
@@ -87,7 +87,7 @@ protected function assertFileMimes(UploadedFileInterface $file)
}
try {
$this->imageManager->make($file->getStream());
$this->imageManager->make($file->getStream()->getMetadata(‘uri’));
} catch (NotReadableException $_e) {
$this->raise(‘image’);
}
Expand Down
2 changes: 1 addition & 1 deletion framework/core/src/User/Command/UploadAvatarHandler.php
Expand Up
@@ -74,7 +74,7 @@ public function handle(UploadAvatar $command)
$this->validator->assertValid([‘avatar’ => $command->file]);
$image = $this->imageManager->make($command->file->getStream());
$image = $this->imageManager->make($command->file->getStream()->getMetadata(‘uri’));
$this->events->dispatch(
new AvatarSaving($user, $actor, $image)
Expand Down
0 comments on commit d1059c1
Please sign in to comment.
Related news
## Impact The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. ### Patches This has been patched in Flarum **v1.8**. ## Workarounds As a temporary workaround for the SSRF aspect of the vulnerability, one can disable PHP's `allow_url_fopen` which will prevent the fetching of external files via URLs. ### Credits Adam Kues - [Assetnote](https://assetnote.io/)