Summary
An attacker with a basic user forum account can specify a malicious avatar URL that discloses the contents of arbitrary local files on the file system.
Impact
An attacker can read the contents of any local file. An attacker can also conduct blind SSRF attacks.
Affected Software
The following versions are affected by this vulnerability:
Product Description
Flarum is a delightfully simple discussion platform for your website. It’s fast, free, and easy to use, with all the features you need to run a successful community. It’s also extremely extensible, allowing for ultimate customizability.
Solution
Upgrade to the latest version of flarum/framework, >= 1.8.0.
Flarum’s has not released an official advisory yet. We will update here with a link once they do.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
Adam Kues – Assetnote Security Research Team
See Assetnote in action
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.