Server-Side Request Forgery (SSRF) in rodber/chevereto-free

Valid

Reported on

Dec 30th 2021

Description

There was some hardening done previously against private IP addresses in the SSRF vulnerability I disclosed in the previous report https://github.com/rodber/chevereto-free/. However the checks can be bypassed by URL redirection.

Proof of Concept

If http://example.com resolves to a Public IP address, it will pass the isValidUrl check, if this same http://example.com redirects to a private IP address, by serving a 302 Response, when passed to curl_exec, it will cause curl_exec to query the private address instead because in https://github.com/rodber/chevereto-free/blob/e120fec868272399f675377d5713f1f06cebc996/lib/G/functions.php#L1651 CURLOPT_SETLOCATION is set to 1, which tells curl to follow redirects.

A redirector for testing can be set up like this

import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

if len(sys.argv)-1 != 2:
    print("Usage: {} <port_number> <url>".format(sys.argv[0]))
    sys.exit()

class Redirect(BaseHTTPRequestHandler):
   def do_GET(self):
       self.send_response(302)
       self.send_header('Location', sys.argv[2])
       self.end_headers()

HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()

python redirector.py [port] [redirect_url]

Impact

This vulnerability is capable of SSRF (server makes requests to the internal network)

Occurrences

functions.php L1651

CURLOPT_FOLLOWLOCATION should be disabled

functions.php L1691L1693

Redirection should be disabled for file_get_contents too

We are processing your report and will contact the rodber/chevereto-free team within 24 hours. a year ago

haxatron modified the report

a year ago

haxatron submitted a

patch

a year ago

haxatron

commented a year ago

Researcher

Fix: https://github.com/Haxatron/chevereto-free/commit/3fac6460d05402a717a35e1f25cdc27ed3c558f3

Disables redirection

We have contacted a member of the rodber/chevereto-free team and are waiting to hear back a year ago

We have sent a follow up to the rodber/chevereto-free team. We will try again in 7 days. a year ago

Rodolfo Berrios validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Rodolfo Berrios marked this as fixed in 1.6.2 with commit 586031 a year ago

haxatron has been awarded the fix bounty

This vulnerability will not receive a CVE

functions.php#L1651 has been validated

functions.php#L1691L1693 has been validated

to join this conversation

We are processing your report and will contact the rodber/chevereto-free team within 24 hours. a year ago

haxatron modified the report

a year ago

haxatron submitted a

patch

a year ago

haxatron

commented a year ago

Researcher

Fix: https://github.com/Haxatron/chevereto-free/commit/3fac6460d05402a717a35e1f25cdc27ed3c558f3

Disables redirection

We have contacted a member of the rodber/chevereto-free team and are waiting to hear back a year ago

We have sent a follow up to the rodber/chevereto-free team. We will try again in 7 days. a year ago

Rodolfo Berrios validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Rodolfo Berrios marked this as fixed in 1.6.2 with commit 586031 a year ago

haxatron has been awarded the fix bounty

This vulnerability will not receive a CVE

functions.php#L1651 has been validated

functions.php#L1691L1693 has been validated

to join this conversation