ikiwiki Aggregator Plugin SSRF Vulnerability (CVE-2019-9187) Fix

Critical Vulnerability Information Package: ikiwiki Version: 3.20141016.4+deb8u1 CVE ID: CVE-2019-9187 Vulnerability Description The maintainer of ikiwiki discovered that the aggregation plugin did not use LWPx::ParanoidAgent. On sites with the aggregation plugin enabled, authorized wiki editors could instruct ikiwiki to fetch potentially unwanted URIs, even if LWPx::ParanoidAgent was installed. Affected URI Types Local files: file: URI Other URI schemes that could be abused by attackers: such as gopher:, hosts resolving to loopback IP addresses (127.x.x.x), or hosts resolving to RFC 1918 IP addresses (192.168.x.x, etc.). Potential Risks Disclosure of information that should not be accessible Denial of service via requests to "tar pit" URIs Unintended side effects if the local web server implements "unsafe" GET requests Solution Fixed in ikiwiki version 3.20190228, and backported to Debian 9 as version 3.20170111.1. Rejects all URI schemes except http: and https:, preventing access to file:, gopher:, etc. If a proxy is configured, it is used for all outgoing http: and https: requests, blocking any unnecessary requests, including those to loopback or RFC 1918 addresses. If no proxy is configured but liblwpx-paranoidagent-perl is installed, it is used to prevent requests to loopback and RFC 1918 IP addresses, and timeouts are set to avoid denial of service via "tar pit" URIs. Otherwise, a regular LWP user agent is used, allowing requests to loopback and RFC 1918 IP addresses, with less stable timeout behavior. Recommended Upgrade It is recommended to upgrade the ikiwiki package, and to install liblwpx-paranoidagent-perl, which is listed in the ikiwiki's Recommends field. Debian 8 "Jessie" Fix The issue has been fixed in version 3.20141016.4+deb8u1.

Goal Reached Thanks to every supporter — we hit 100%!

ikiwiki Aggregator Plugin SSRF Vulnerability (CVE-2019-9187) Fix