Server-Side Request Forgery (SSRF) in chatwoot/chatwoot

Valid

Reported on

Jul 5th 2021


✍️ Description

SSRF via SVG file upload

🕵️‍♂️ Proof of Concept

create a new inbox, change its avatar to an SVG file with SSRF payload in it. and open the image in a new tab.

💥 Impact

Host redirect

We have contacted a member of the chatwoot team and are waiting to hear back a year ago
Pranav Raj S
a year ago

Maintainer


Hey Ajmal, Thanks for reporting this. Would you be able to share a sample SVG? I tried doing it with a couple of them, those didn't work.

Ajmal
a year ago

Researcher


<image x="10" y="10" width="276" height="110" xlink:href="YOUR LINK "/>
<path d="M0 150h300v10H0z"/>
</svg>```
add your open  ports in the YOUR LINK area
thanks for your response
Ajmal
a year ago

Researcher


<image x="10" y="10" width="276" height="110" xlink:href="http://0a0fdf524388.ngrok.io"/>
<path d="M0 150h300v10H0z"/>
</svg>```
Ajmal
a year ago

Researcher


i think huntr is using some sort of sanitize to the payload i will share a link

Ajmal
a year ago

Researcher


https://drive.google.com/drive/folders/1Aylj448fnVZGmCocaQ0yZuH7ozvYFsTj?usp=sharing change my localhost ip /port to yours or use requestbin or something like that to check the incoming request during host redirect

Ajmal
a year ago

Researcher


<image x="10" y="10" width="276" height="110" xlink:href="https://en7uzqeqppd0apu.m.pipedream.net"/>
<path d="M0 150h300v10H0z"/>
</svg>```
Ajmal
a year ago

Researcher


<image x="10" y="10" width="276" height="110" xlink:href="https://en7uzqeqppd0apu.m.pipedream.net"/>
<path d="M0 150h300v10H0z"/>
</svg>```
Sojan Jose
a year ago

Maintainer


This should be a duplicate of https://huntr.dev/bounties/1625474692857-chatwoot/chatwoot/ since avatars are a shared module. But thanks for reporting this.

Sojan Jose validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose
a year ago

Maintainer


it's a stored XSS vulnerability . But I don't see any SSRF . so closing https://huntr.dev/bounties/1625472018080-chatwoot/chatwoot/ in favor of this

Jamie Slome
a year ago

Admin


@sojan-official - same again here?

Are we able to mark the patch commit SHA and we can arrange a CVE!

Sojan Jose confirmed that a fix has been merged on 6fdd4a a month ago
The fix bounty has been dropped
to join this conversation