CVE-2023-41054
📋 TL;DR
CVE-2023-41054 is a Server-Side Request Forgery (SSRF) vulnerability in LibreY's image_proxy.php that allows attackers to use the server as a proxy to send HTTP GET requests to arbitrary internal or external targets. This enables information disclosure from internal networks and potential Denial-of-Service attacks. All LibreY instances before commit 8f9b9803f231e2954e5b49987a532d28fe50a627 are affected.
💻 Affected Systems
- LibreY
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, exfiltrate confidential data, chain requests to create distributed DoS attacks, or use the server as a pivot point for further network exploitation.
Likely Case
Attackers will use the server to scan internal networks, access metadata services, or conduct DoS by requesting large files or chaining requests between vulnerable instances.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to external resource consumption and potential DoS against the LibreY server itself.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable endpoint with a malicious URL parameter. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 8f9b9803f231e2954e5b49987a532d28fe50a627 or later
Vendor Advisory: https://github.com/Ahwxorg/LibreY/security/advisories/GHSA-p4f9-h8x8-mpwf
Restart Required: No
Instructions:
1. Pull the latest commit from the LibreY repository. 2. Replace the image_proxy.php file with the patched version. 3. No service restart required as PHP files are interpreted on each request.
🔧 Temporary Workarounds
Disable image_proxy.php
linuxTemporarily disable or remove the vulnerable image_proxy.php file
mv /path/to/LibreY/image_proxy.php /path/to/LibreY/image_proxy.php.disabled
Web server access restriction
allConfigure web server to block access to image_proxy.php
# For Apache: add 'Deny from all' to .htaccess for image_proxy.php
# For Nginx: add 'location ~ image_proxy\.php { deny all; }' to server config
🧯 If You Can't Patch
- Implement strict network egress filtering to limit what IPs/ports the server can connect to
- Deploy a WAF with SSRF protection rules to block malicious URL parameters
🔍 How to Verify
Check if Vulnerable:
Check if image_proxy.php exists and is accessible, then test with a controlled external URL parameter to see if the server makes outbound requests.Check Version:
cd /path/to/LibreY && git log --oneline -1Verify Fix Applied:
Verify the image_proxy.php file hash matches the patched version from commit 8f9b9803f231e2954e5b49987a532d28fe50a627.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the server
- Multiple requests to image_proxy.php with varying URL parameters
- Requests to internal IP addresses (10.x, 172.16-31.x, 192.168.x) from image_proxy.php
Network Indicators:
- Unexpected outbound HTTP traffic from the LibreY server to unusual destinations
- Traffic patterns suggesting the server is being used as a proxy
SIEM Query:
source="web_server_logs" AND uri="/image_proxy.php" AND (url_parameter CONTAINS "internal" OR url_parameter CONTAINS "localhost" OR url_parameter CONTAINS "127.0.0.1" OR url_parameter CONTAINS "10." OR url_parameter CONTAINS "192.168." OR url_parameter CONTAINS "172.16-31.")