Typecho <=1.3.0 SSRF Vulnerability Analysis: Weak Token Bypass and Gopher Protocol Exploitation

Typecho <=1.3.0 Server-Side Request Forgery (SSRF) Vulnerability Summary 1. Vulnerability Overview Typecho version 1.3.0 and earlier versions contain a severe SSRF vulnerability in the asynchronous ping service. Trigger Point: endpoint. Root Causes: 1. Weak Token Validation: The function uses loose comparison ( ) instead of strict comparison ( ). Attackers can bypass validation by simply sending . 2. Pingback Relay: After retrieving the Pingback link, the server initiates a new POST request (XML-RPC), and this request lacks any IP restriction checks. 3. Protocol Support: The underlying HTTP client supports protocols such as , allowing attackers to interact with internal non-HTTP services (e.g., Redis, Memcached, MySQL). 2. Scope of Impact Affected Product: Typecho Blog Platform Affected Versions: 1.3.0 and all earlier versions Affected Components: endpoint, method Impact: Exploitable without authentication. Can scan internal network ports and fingerprint services. Can exploit internal Redis (when unauthenticated), Memcached, MySQL, etc., using the protocol. Data exfiltration or lateral movement within the internal network. 3. Remediation Plan Immediate Mitigation: Disable the Ping service in Typecho settings. Modify to filter extracted URLs, rejecting those pointing to private IPs or dangerous protocols (e.g., ). Modify to use strict comparison ( ) and enforce as a string. Long-term Solution: Upgrade to the latest version or remove the automatic Pingback relay functionality. 4. Vulnerability Code Analysis (Technical Analysis) 4.1 Weak Token Validation File: Issue: Uses for loose comparison. In PHP, comparing a non-empty string with a hash value may result in an unintended match, allowing the validation to pass. 4.2 Pingback Relay (Second POST Request) File: Issue: The second request (XML-RPC POST) does not call , and can be controlled by the attacker, leading to SSRF. 5. Proof of Concept (PoC) 5.1 Basic Pingback Relay to Internal HTTP Service Attacker Server Response (HTML): Malicious JSON Payload Sent to the Vulnerable Endpoint: 5.2 Gopher Attack Against Internal Redis (Unauthenticated) Attacker Server Response (HTML): Explanation: This payload sends the Redis command. The Typecho server will establish a TCP connection and transmit raw RESP data. 6. Suggested Code Fixes Fix 1: Strict Token Validation File: Fix 2: Restrict Pingback Protocols and IPs File**:

Goal Reached Thanks to every supporter — we hit 100%!

Typecho <=1.3.0 SSRF Vulnerability Analysis: Weak Token Bypass and Gopher Protocol Exploitation