Local file inclusion in jgraph/drawio
May 14th 2022
https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd.
Proof of Concept
1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Enter file:///etc/passwd in fetch parameter and see the content of /etc/passwd is fetched in url encoded format. 3. Decode the url data and you can see the contents of /etc/passwd where the server is hosted.
An attacker could read local files on the web server that they would normally not have access to, such as the application source code or configuration files containing sensitive information on how the website is configured.
Thanks for the report. Why have you marked the effort on availability as high? That means you know of an attack that would bring the system down, what is that attack please?
LFI can lead to Remote code execution in certain cases if combined with file upload vulnerability. Currently i am only able to achieve Local File inclusion where i am able to read Web Server Files as explained in the original report. I didn't tried to check if i am able to achieve RCE will update if i am able to perform until then you can change the CVSS score to AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N I have added an link to blog where it explained impact of LFI : https://brightsec.com/blog/local-file-inclusion-lfi/
Please let me know if you have questions. Thankyou
Hi David please verify report with the new CVSS score as RCE seems to be not achievable.
Hi, yes, I think this score is appropriate for the LFI alone.
Hello David just confirming another SSRF report has the same impact as mine please have a look. https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11/
Hi, yes, the CVE score on that one is too high.
No it is Critical (9.3)
The availability score is not none, but it should have been none.
will you change the cvss to match with that report?
There is no mechanism in huntr to do that.
ok no problem
cf5c78aa0f3127fb10053db55b39f3017a0654ae changed to high severity