Typecho Server-Side Request Forgery Vulnerability in Pingback Service Endpoint

A server-side request forgery (SSRF) vulnerability exists in Typecho versions through 1.3.0. The issue is located in the Ping Back Service Endpoint, specifically within the `Service::sendPingHandle` function of the `var/Widget/Service.php` file. This vulnerability allows remote attackers to manipulate the `X-Pingback/link` header, leading to unauthorized requests being sent from the server to internal or external targets. The vulnerability arises from weak validation of time-based tokens, which can be bypassed, enabling exploitation of the Pingback relay feature to access internal services or networks.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the Typecho server is tricked into making requests to internal services or external targets controlled by the attacker. This could lead to unauthorized access to internal resources, interaction with exposed services, and potential exploitation of other vulnerabilities to gain further access or control.

Reproduction

To reproduce this vulnerability, send a JSON payload to the `/action/service?do=ping` endpoint, including a bypassed token. The server will then fetch the specified Pingback URL, extract an internal address, and send a POST request to it, demonstrating the SSRF exploitation.

Remediation

Typecho users are advised to disable the Pingback service if not needed, apply strict IP filtering to reject URLs pointing to private or reserved IP ranges, and patch the token validation to ensure proper validation before processing requests.