Local file inclusion in jgraph/drawio
Reported on
May 14th 2022
Description
https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd.
Proof of Concept
1. Visit https://app.diagrams.net/embed2.js?&fetch=
2. Enter file:///etc/passwd in fetch parameter and see the content of /etc/passwd is fetched in url encoded format.
3. Decode the url data and you can see the contents of /etc/passwd where the server is hosted.
Impact
An attacker could read local files on the web server that they would normally not have access to, such as the application source code or configuration files containing sensitive information on how the website is configured.
Occurrences
Thanks for the report. Why have you marked the effort on availability as high? That means you know of an attack that would bring the system down, what is that attack please?
Hello David,
LFI can lead to Remote code execution in certain cases if combined with file upload vulnerability. Currently i am only able to achieve Local File inclusion where i am able to read Web Server Files as explained in the original report. I didn't tried to check if i am able to achieve RCE will update if i am able to perform until then you can change the CVSS score to AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N I have added an link to blog where it explained impact of LFI : https://brightsec.com/blog/local-file-inclusion-lfi/
Please let me know if you have questions. Thankyou
Hi David please verify report with the new CVSS score as RCE seems to be not achievable.
Hi, yes, I think this score is appropriate for the LFI alone.
Hello David just confirming another SSRF report has the same impact as mine please have a look. https://huntr.dev/bounties/cad3902f-3afb-4ed2-abd0-9f96a248de11/
Thanks