7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40033

GHSA ID

GHSA-67c6-q4j4-hccg

EPSS Score

0.37251%

CWE

CWE-98

Published

8/16/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40033

CVE-2023-40033:
Flarum vulnerable to LFI and Blind SSRF via Avatar upload

Impact

The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulate the application to execute unintended actions. The vulnerability is due to the behavior of the intervention/image package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. This allows an attacker to exploit the vulnerability to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack.

Patches

This has been patched in Flarum v1.8.

Workarounds

As a temporary workaround for the SSRF aspect of the vulnerability, one can disable PHP's allow_url_fopen which will prevent the fetching of external files via URLs.

Credits

Adam Kues - Assetnote

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40033

GHSA ID

GHSA-67c6-q4j4-hccg

EPSS Score

0.37251%

CWE

CWE-98

Published

8/16/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flarum/core	composer	< 1.8.0	1.8.0
flarum/framework	composer	< 1.8.0	1.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the intervention/image package interpreting file streams as URLs. The pre-patch code passed $file->getStream() to imageManager->make(), which reads raw content. If the uploaded file contained a URL string (with spoofed MIME), the library would fetch it, enabling SSRF/LFI. The patch replaced getStream() with getStream()->getMetadata('uri'), forcing the library to treat the input as a local file path instead of raw content, mitigating URL interpretation. The modified functions in the commit diff directly correlate to avatar/file upload handlers, making them the entry points for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t T** *l*rum *orum so*tw*r* is *****t** *y * vuln*r**ility t**t *llows *n *tt**k*r to *on*u*t * *lin* SSR* *tt**k or *is*los* *ny *il* on t** s*rv*r, *v*n wit* * **si* us*r ***ount on *ny *l*rum *orum. *y uplo**in* * *il* *ont*inin* * URL *n*

Reasoning

T** vuln*r**ility st*ms *rom t** int*rv*ntion/im*** p**k*** int*rpr*tin* *il* str**ms *s URLs. T** pr*-p*t** *o** p*ss** `$*il*->**tStr**m()` to `im***M*n***r->m*k*()`, w*i** r***s r*w *ont*nt. I* t** uplo**** *il* *ont*in** * URL strin* (wit* spoo**

7.1

Basic Information

Concerned about an active attack path?

CVE-2023-40033: Flarum vulnerable to LFI and Blind SSRF via Avatar upload

Impact

Patches

Workarounds

Credits

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-40033:
Flarum vulnerable to LFI and Blind SSRF via Avatar upload

Vulnerability Intelligence
Miggo AI