Simple Machines Community Forum

SMF Development => Bug Reports => Fixed or Bogus Bugs => Topic started by: qc on May 09, 2016, 11:48:38 AM

Title: fetch web data(): possibly dangerous local proxy
Post by: qc on May 09, 2016, 11:48:38 AM
Hi @ALL,

A classic weakness found in many web applications is the 'local proxy': While remote access to the server is often heavily restricted, requests originating from the local network or the webserver itself (localhost) are often regarded as less suspicious. Various services running on the server, such as memcache or a data storage, might e. g. allow read access from localhost only. Therefore, a malicious person will often look for a 'proxy' on the webserver translating possibly malicious remote requests into local requests, send by the webserver itself.

'Local proxy' in SMF: the fetch_web_data() function is often used to fetch content from remote webservers, e.g. from an open ID provider or SMF package server. However, it also accepts localhost as the destination address.

I am just writing this here to raise awareness of this weakness - which is not a vulnerability in itself but often a stepping stone - and discuss the best way to 'harden' SMF.