Server-Side Request Forgery (SSRF) in chatwoot/chatwoot
Reported on
Jul 5th 2021
✍️ Description
SSRF via SVG file upload
🕵️♂️ Proof of Concept
create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab.
💥 Impact
Host redirect
Hey Ajmal, Thanks for reporting this. Would you be able to share a sample SVG? I tried doing it with a couple of them, those didn't work.
<image x="10" y="10" width="276" height="110" xlink:href="YOUR LINK "/>
<path d="M0 150h300v10H0z"/>
</svg>```
add your open ports in the YOUR LINK area
thanks for your response<image x="10" y="10" width="276" height="110" xlink:href="http://0a0fdf524388.ngrok.io"/>
<path d="M0 150h300v10H0z"/>
</svg>```i think huntr is using some sort of sanitize to the payload i will share a link
https://drive.google.com/drive/folders/1Aylj448fnVZGmCocaQ0yZuH7ozvYFsTj?usp=sharing change my localhost ip /port to yours or use requestbin or something like that to check the incoming request during host redirect
<image x="10" y="10" width="276" height="110" xlink:href="https://en7uzqeqppd0apu.m.pipedream.net"/>
<path d="M0 150h300v10H0z"/>
</svg>```<image x="10" y="10" width="276" height="110" xlink:href="https://en7uzqeqppd0apu.m.pipedream.net"/>
<path d="M0 150h300v10H0z"/>
</svg>```
This should be a duplicate of https://huntr.dev/bounties/1625474692857-chatwoot/chatwoot/ since avatars are a shared module. But thanks for reporting this.
it's a stored XSS vulnerability . But I don't see any SSRF . so closing https://huntr.dev/bounties/1625472018080-chatwoot/chatwoot/ in favor of this
@sojan-official - same again here?
Are we able to mark the patch commit SHA and we can arrange a CVE!