Server-Side Request Forgery (SSRF) in snipe/snipe-it

Valid

Reported on

Dec 5th 2021


Description

Admin users on the external network can perform blind POST-based SSRF (issue requests on behalf of the server into the internal network) via the Slack Integration

Performing portscans

1: Go to Slack Integrations

2: Use http://127.0.0.1:1337 as the Slack Endpoint. See the error message: cURL error 7: Failed to connect to 127.0.0.1 port 1337: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) Indicating that requests can be made to 127.0.0.1 and that port 1337 on 127.0.0.1 is closed.

Interacting with internal webservices

1: We will setup a server in the internal network for demonstration purposes.

2: Run the following NodeJS code

var express = require('express')
var app = express()

app.post('/shutdown', function(request, response) {
  console.log("Server shutting down")
  process.exit( );
})

const port = 3000
const ip = '0.0.0.0'
app.listen(port, ip)
console.log(`Listening at http://localhost:${port}`)

3: Now input http://[NODE-SERVER-IP]:3000/shutdown and watch the server shutdown.

Impact

This vulnerability is capable of port-scanning of the internal network, issue POST requests to web servers on the internal network which can be escalated to higher-impact.

Recommended Fix

Only allow the integration URL if the host === hooks.slack.com

OR only allow the XXXXX portion of the hooks.slack.com/XXXXXX from frontend and append to "hooks.slack.com/" string in backend

Occurences

Only allow the integration URL if the host === hooks.slack.com

OR only allow the XXXXX portion of the hooks.slack.com/XXXXXX from frontend and append to "hooks.slack.com/" string in backend

Only allow the integration URL if the host === hooks.slack.com

OR only allow the XXXXX portion of the hooks.slack.com/XXXXXX from frontend and append to "hooks.slack.com/" string in backend

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a month ago
haxatron modified their report
a month ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a month ago
snipe validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 4612b9 a month ago
snipe has been awarded the fix bounty