affiliate-toolkit < 3.4.3 – Unauthenticated SSRF | CVE 2023-5877

Description

The plugin lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.

Version 3.3.6 introduces some measures to limit access to localhost, and a separate file for storing an arbitrary site key. However, other RFC1918 addresses are not filtered, and the site key file is under a hardcoded pathname, and may be accessible by unauthenticated visitors, effectively reducing the security of the endpoint.

Proof of Concept

Send a request to http://example.com/wp-content/plugins/affiliate-toolkit-starter/tools/atkp_imagereceiver.php?image=$img&hash=$hash, where $img is base64 encoded URL, hash is computed by

$site_key = md5(__FILE__);
$hash = md5( $image_url . $site_key );
$image_url is raw URL without base64.

When for example using docker, __FILE__ could be /var/www/html/wp-content/plugins/affiliate-toolkit-starter/tools/atkp_imagereceiver.php, then the hash can be computed and the request can be successfully sent.

In versions after 3.3.6 the site key may also be present by fetching /wp-content/uploads/atkp-imagereceiver-key.php from the remote site. If it's not present, use the same site key as for earlier versions.