About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

VuFind Documentation

Site Tools

You are here: start » security » cve-2024-25737
Trace:
Warning: This page has not been updated in over over a year and may be outdated or deprecated.
security:cve-2024-25737

Table of Contents

Security: CVE-2024-25737

Overview

A Server-Side Request Forgery (SSRF) vulnerability in the /Cover/Show route (showAction in CoverController.php) in VuFind® 2.0 through 9.1 before 9.1.1 allows remote attackers to access internal HTTP servers and perform Cross-Site Scripting (XSS) attacks by proxying arbitrary URLs via the proxy GET parameter.

Mitigation

Users are strongly encouraged to upgrade to release 9.1.1 immediately and ensure appropriate coverproxyAllowedHosts and coverproxyAllowedTypes settings in config.ini.

If upgrade is not possible, alternate mitigation options exist:

Mitigation without Upgrade, Option 1

If you are running a release issued in the past five years, the fix has been backported to the associated release branch in GitHub. You can download replacement CoverController.php and CoverControllerFactory.php files that can replace the existing files in your installation. For example, for release 6.0, you can download https://github.com/vufind-org/vufind/blob/release-6.0/module/VuFind/src/VuFind/Controller/CoverControllerFactory.php and https://github.com/vufind-org/vufind/blob/release-6.0/module/VuFind/src/VuFind/Controller/CoverController.php. For newer versions, just replace “6.0” in each URL with the appropriate major and minor version numbers for the desired release.

:!: IMPORTANT NOTE: this patched code is not compatible with PHP versions <8.0 (usage of null-safe-operator) and does require adjustments (or application of the second Mitigation Option below) if you are running an older version that is out of security support.

Mitigation without Upgrade, Option 2

If you are running a VuFind® release more than five years old, you will have to make a manual correction to the code. The easiest solution is to simply delete the cover proxy feature from the CoverController. Unless you are using VuFind®’s Summon integration, you do not need this code at all. Here is an example of the lines to delete when using VuFind® 4.1: https://github.com/vufind-org/vufind/blob/release-4.1/module/VuFind/src/VuFind/Controller/CoverController.php#L143-L155 – it should not be too difficult to find the equivalent code in other versions.

Acknowledgements

Thanks to rob (@b7c on GitHub) for identifying and responsibly reporting this vulnerability.

security/cve-2024-25737.txt · Last modified: 2024/06/06 11:36 by demiankatz