A security issue has been identified that could potentially allow attachment uploads to exploit our system.

A patch has been released that will fix the issue. There will be some downtime whist we upgarde some server services, update the forum and implement the patch.

At present I do not know how long it will take to implement the updates. I doubt it will be more than a few hours, the work will be carried out between 6am and 6pm weekdays UK time

There will be a static notice presented during the downtime.



Forum users are allowed to share media files by uploading them to the server. Some pages allow users to specify a URL to a media file that a user wants to share which will then be retrieved by the forum. The user-provided links are validated to make sure that users can only access resources from HTTP/HTTPS protocols and that connections are not allowed in to the localhost.

HTTP redirects are also prohibited however there is one place in the system codebase that accepts redirects from the target server specified in a user-provided link. By specifying a link to a malicious server that returns a 301 HTTP redirect to the URL of http://localhost:3306 for example, an attacker could easily bypass the restrictions presented above and make a connection to mysql/3306 service listening on the localhost. This introduces a Server Side Request Forgery (SSRF) vulnerability.

As curl is used to fetch remote resources, in addition to HTTP, attackers could specify a handful of other protocols to interact with local services. For instance, by sending a redirect to gopher://localhost:11211/datahere attackers could send arbitrary traffic to memcached services. Additionally, depending on the temporary directory location configured within the forum, attackers could potentially view the service responses as the download function stores responses within temporary files which could be viewed if the temporary directory is exposed on the web server.