Server-Side Request Forgery (SSRF) in rodber/chevereto-free

Valid

Reported on

Dec 30th 2021


Description

There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection.

Proof of Concept

If http://example.com resolves to a Public IP address, it will pass the isValidUrl check, if this same http://example.com redirects to a private IP address, by serving a 302 Response, when passed to curl_exec, it will cause curl_exec to query the private address instead because in https://github.com/rodber/chevereto-free/blob/e120fec868272399f675377d5713f1f06cebc996/lib/G/functions.php#L1651 CURLOPT_SETLOCATION is set to 1, which tells curl to follow redirects.

A redirector for testing can be set up like this

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
python redirector.py [port] [redirect_url]

Impact

This vulnerability is capable of SSRF (server makes requests to the internal network)

Occurences

CURLOPT_FOLLOWLOCATION should be disabled

Redirection should be disabled for file_get_contents too

We are processing your report and will contact the rodber/chevereto-free team within 24 hours. a month ago
haxatron modified their report
a month ago
haxatron submitted a
a month ago
We have contacted a member of the rodber/chevereto-free team and are waiting to hear back a month ago
We have sent a follow up to the rodber/chevereto-free team. We will try again in 7 days. 25 days ago
Rodolfo Berrios validated this vulnerability 21 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodolfo Berrios confirmed that a fix has been merged on 586031 21 days ago
haxatron has been awarded the fix bounty
functions.php#L1651 has been validated
functions.php#L1691L1693 has been validated