Local file inclusion in jgraph/drawio

Valid

Reported on

May 14th 2022


Description

https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd.

Proof of Concept

1. Visit https://app.diagrams.net/embed2.js?&fetch=
2. Enter file:///etc/passwd in fetch parameter and see the content of /etc/passwd is fetched in url encoded format.
3. Decode the url data and you can see the contents of /etc/passwd where the server is hosted.

Impact

An attacker could read local files on the web server that they would normally not have access to, such as the application source code or configuration files containing sensitive information on how the website is configured.

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
0x2374
a month ago

Researcher


David Benson
a month ago

Maintainer


Thanks for the report. Why have you marked the effort on availability as high? That means you know of an attack that would bring the system down, what is that attack please?

0x2374
a month ago

Researcher


Hello David,

LFI can lead to Remote code execution in certain cases if combined with file upload vulnerability. Currently i am only able to achieve Local File inclusion where i am able to read Web Server Files as explained in the original report. I didn't tried to check if i am able to achieve RCE will update if i am able to perform until then you can change the CVSS score to AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N I have added an link to blog where it explained impact of LFI : https://brightsec.com/blog/local-file-inclusion-lfi/

Please let me know if you have questions. Thankyou

David Benson modified the Severity from Critical (9.1) to High (7.5) a month ago
0x2374
a month ago

Researcher


Hi David please verify report with the new CVSS score as RCE seems to be not achievable.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a month ago

Hi, yes, I think this score is appropriate for the LFI alone.

0x2374 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
0x2374
a month ago

Researcher


Hello David just confirming another SSRF report has the same impact as mine please have a look. https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11/

Thanks

David Benson
a month ago

Maintainer


Hi, yes, the CVE score on that one is too high.

0x2374
a month ago

Researcher


No it is Critical (9.3)

David Benson
a month ago

Maintainer


The availability score is not none, but it should have been none.

0x2374
a month ago

Researcher


yes

0x2374
a month ago

Researcher


will you change the cvss to match with that report?

David Benson
a month ago

Maintainer


There is no mechanism in huntr to do that.

0x2374
a month ago

Researcher


ok no problem

David Benson
a month ago

Maintainer


cf5c78aa0f3127fb10053db55b39f3017a0654ae changed to high severity

David Benson confirmed that a fix has been merged on 7a68eb a month ago
The fix bounty has been dropped
to join this conversation