Whoogle Search Users Beware of Server-Side Request Forgery Vulnerability

CVSScvssV3_1: 9.1

Whoogle Search, an open source metasearch engine, was found to have a vulnerability in versions prior to 0.8.4 that could allow attackers to perform server-side request forgery (SSRF).

SSRF is a type of attack where external entities can trick the application into making requests it shouldn’t. In this case, the “window” endpoint in Whoogle Search did not properly sanitize user input passed in the “location” variable. This input was then used to make GET requests, allowing an attacker to craft requests that the server would send on their behalf.

This could enable an attacker to access internal resources on the server’s network that may not be accessible from the public internet. Even seemingly “benign” requests could be used to scan internal systems for other vulnerabilities.

The good news is this issue was addressed in version 0.8.4. If you’re running an older version of Whoogle Search, be sure to update immediately. It’s also always a good idea to run software and services behind a firewall or on their own isolated network whenever possible, to minimize exposure if vulnerabilities are found.

Staying on top of updates and practicing basic network segmentation are important steps anyone can take to help protect themselves and their data from server-side attacks.