No rate limit via proxy url parameter in jgraph/drawio

Valid

Reported on

Aug 29th 2022


Description

Hi Drawio Team ,

Your proxy server has no limit of requests which an attacker can use it as PORT SCANNER.

https://app.diagrams.net/proxy?url={IP:PORT}&base64=1

Proof of Concept

Image from my OWASP ZAP : https://ibb.co/h87hz3N

Impact

Malicious use.

Load on memory ( DOS ).

Effect the availability.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 25 days ago
maakthon modified the report
24 days ago
David Benson
24 days ago

Maintainer


Thanks for the report. You're reporting two things here:

  1. DoS. Rate limiting / dealing with DoS is an infrastructure level issue. You will not be able to DoS app.diagrams.net with this attack, we have infrastructure in place to deal with this.

If someone deployed the java ProxyServlet that would be up to them to deal with the issue.

  1. No port filtering. This is valid, but your current rating of critical is incorrect for this one item.
maakthon
24 days ago

Researcher


Hi Mr David ,

Thank you for response , So we can count one bug which is [ No port filtering ]. I will edit it now !

maakthon modified the report
24 days ago
maakthon
24 days ago

Researcher


Is it okay now or we have to edit something else Mr David ?

David Benson
24 days ago

Maintainer


You've set the effect on integrity and availability as high for the port scanning report, could you explain in detail why those two levels?

maakthon
24 days ago

Researcher


Sure, Imagine someone disclose your proxy in public , So a lot of people will use it as port scanner and put your domain at risk like (someone can use it to scan private or military systems) So if a lot of people used it that will effect the availability.

About the integrity, Sorry I forget to remove it while editing the report.

maakthon modified the report
24 days ago
David Benson modified the Severity from High (7.4) to Medium (5.3) 24 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability 24 days ago
maakthon has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
maakthon
24 days ago

Researcher


Thank you Mr.David.

David Benson confirmed that a fix has been merged on 59887e 22 days ago
The fix bounty has been dropped
to join this conversation