Whoogle Search Users Beware of Server-Side Request Forgery Vulnerability

CVSScvssV3_1: 9.1

Whoogle Search, an open source metasearch engine, was found to have a vulnerability in versions prior to 0.8.4 that could allow attackers to perform server-side request forgery (SSRF).

SSRF is a type of attack where external entities can trick the application into making requests it shouldn’t. In this case, the “window” endpoint in Whoogle Search did not properly sanitize user input passed in the “location” variable. This input was then used to make GET requests, allowing an attacker to craft requests that the server would send on their behalf.

This could enable an attacker to access internal resources on the server’s network that may not be accessible from the public internet. Even seemingly harmless GET requests could be used to retrieve sensitive internal files or launch phishing attacks on the server’s behalf.

Luckily, the developers were notified and released version 0.8.4 which fixes this issue by sanitizing the location parameter. If you are running an older version of Whoogle Search, you should immediately update to the latest version to protect your server from this SSRF vulnerability. It’s also a good reminder for all developers to carefully validate any external user input used for requests.