=============================================================================
Title : CakePHP Xml class SSRF Vulnerability
CVE Number : N/A (not assigned)
Affected Software : Confirmed on CakePHP v3.0.5 (prior versions may
also be affected)
Credit : Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/
Issue Status : v3.0.6/2.6.6 was released which fixes this issue
=============================================================================

Overview:
-----------------------------------------------------------------------------
  CakePHP is an open-source web application framework for PHP.
  CakePHP (v3.0.5) was confirmed to be vulnerable to SSRF (Server Side
  Request Forgery) attacks. Remote attacker can utilize it for at least
  DoS (Denial of Service) attacks, if the target application accepts
  XML as an input. It is caused by insecure design of Cake's Xml class.

Details:
-----------------------------------------------------------------------------
  Here is an abstract from Cake\Utility\Xml.php (v3.0.3).

   96: public static function build($input, array $options = [])
   97: {
       ....
  104:     if (is_array($input) || is_object($input)) {
  105:         return static::fromArray($input, $options);
  106:     }
  107:
  108:     if (strpos($input, '<') !== false) {
  109:         return static::_loadXml($input, $options);
  110:     }
  111:
  112:     if (file_exists($input)) {
  113:         return static::_loadXml(file_get_contents($input), $options);
  114:     }

  The problematic part is line 112-114, where $input is treated as a
  URL (file path) and the method tries to fetch the content of the URL,
  if it does not contain any '<' character.

  Therefore, if values such as those shown below are given to it,
  the application will block.

  1. file:///dev/random
     -> blocks permanently (until so much entropy supplied)

  2. /dev/urandom
     -> blocks until hitting memory limit

  3. ftp://very_slow_host/a
     -> blocks until socket timeout

  Attackers can exhaust MaxClients (on Apache), just by sending
  the number of requests with these values instead of normal XML.

  CakePHP seems to accept XML inputs when RequestHandlerComponent,
  which is designed to handle XHR requests that may contain XML or
  JSON in their body, is enabled.

  http://book.cakephp.org/3.0/en/development/rest.html
  http://book.cakephp.org/3.0/en/controllers/components/request-handling.html

  When the component is enabled and a request has necessary headers
  (Content-Type and X-Requested-With), raw body of the request is
  passed to Xml::build() directly (i.e. without validation), which
  can obviously be used for attacks.

  However, it seems hard to successfully conduct other types of
  attack than DoS, because there are some hurdles for attackers.
  Firstly, usual web applications are unlikely to return the full
  request data. This means there is very little opportunity for file
  theft attacks, regardless of whether the target file is XML or not.
  The second hurdle is file_exists() check in line 112, which results
  in URLs with interesting schemes like "expect" and "http" being
  rejected.

  But still DoS and timing attacks like internal network scan using
  ftp URL's are possible. Additionally, in CakePHP v2, attackers can
  also use http(s) URLs for such attacks, as Cake2 accepts URLs with
  these schemes.

Timeline:
-----------------------------------------------------------------------------
  2015/05/27  Reported to CakePHP Security ML
  2015/05/29  Vender announced v3.0.6 & 2.6.6
  2015/10/15  Disclosure of this advisory

Recommendation:
-----------------------------------------------------------------------------
  Upgrading to the latest versions is recommended, if your app
  accepts XML data, as stated in the release note.

  https://github.com/cakephp/cakephp/releases/tag/3.0.6

  One thing I think should be noted is that the default behavior
  of the method (Xml::build()) was kept as it had been, in order to
  avoid compatibility problems.

  https://github.com/cakephp/cakephp/commit/2cde19f24c3679e8162e3abbce73818a8b0c02a0

  This means you need to modify your program, if you pass untrusted
  data to the method in your own program code to deal with XML.
  Technically, specifying a newly created option (readFile = false)
  for the method disables URL loading feature, thus can prevent DoS
  and other relevant attacks. See the URL above (github commit log)
  for details.

-- 
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/