Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

A web security researcher claims that the maintainers of the WebPageTest project have failed to address a critical vulnerability

UPDATED Despite a researcher’s best efforts at disclosure, the maintainers of the WebPageTest project appear to be ignoring a severe remote code execution (RCE) vulnerability.

In a blog post dated September 23, ManoMano researcher Louka “Laluka” Jacques-Chevallier discussed his discovery of a pre-authentication RCE vulnerability in the open source project WebPageTest.

The research has also been the subject of a talk at DEFCON Paris.

Catch up with the latest security research and analysis

Developed by Catchpoint, WebPageTest is a tool dating back to the days of dial-up modems and the 1990s, which has evolved to become a utility to check the speed and performance of website code for optimization purposes.

According to the researcher, this software has been “prone” to security issues in the past, including a lack of updates to code and containers, outdated components which remained unpatched against known vulnerabilities, and the “intensive use of smelly PHP code”.

The latest stable release of WebPageTest, v22.01, was published in October 2021.

Server-side request forgery (SSRF) vulnerabilities, bugs that allow attackers to make successful requests via a server-side application to an unintended location or resource, have been found in WebPageTest in the past.

A newly discovered SSRF flaw was the focus of Laluka’s research.

After examining the software’s source code and carrying out both crawling and fuzzing tests, Laluka discovered an SSRF vulnerability in under 15 minutes. The SSRF was limited to an HTTP scheme, but the underlying code held more surprises for the cybersecurity researcher.

Under the microscope

Upon closer inspection Laluka uncovered a range of issues, including PHP code that could trigger a payload by including a slash in a path, file write bugs, and sanitization failures. Eventually, the researcher was able to push a command injection, create a reverse shell, exploit JSON file jobs, and achieve RCE.

While Beanstalkd is not present in default configurations, it may also be possible to exploit the RCE if the Beanstalkd work queue engine is in use. Laluka says that the SSRF and command injection issues could be exploited to inject a new, malicious job and force the worker to use the file.

Arguably, this could be considered a second RCE in its own right.

The researcher found the first SSRF bug on April 15, and by May 25, verified the full RCE exploit chain. Laluka contacted the vendor on June 15, and although Catchpoint responded, the lines of communication were described as “pretty tedious”.

‘Open bag’

Despite providing the technical details of the issue and a video Proof-of-Concept (PoC), the vendor did not respond until July 28, when Catchpoint offered a $300 “big” bounty program reward.

Laluka offered to help with patch validation, but there has been radio silence since. Although he was paid, it’s been over 90 days, and there is still no news on a fix.

“I think that this software can be really helpful for devs and site reliability engineers, but that the codebase isn’t following good practices whatsoever,” Laluka told The Daily Swig. “It’s basically features in a bag – an open bag.”

Catchpoint has not responded to requests for comment from The Daily Swig.

This article has been updated for clarification.

RELATED PHP package manager component Packagist vulnerable to compromise