Server-Side Request Forgery (SSRF) in chocobozzz/peertube

Valid

Reported on

Dec 30th 2021


Description

There is an SSRF vulnerability in PeerTube, registered users outside of the external network can issue GET requests into the internal network via the Import With URL option.

Proof of Concept

Setting a Python3 server on 8080

python3 -m http.server 8080

And importing this URL

http://127.0.0.1:8080

Will cause a request to be issued to localhost

gitpod /workspace/PeerTube $ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
127.0.0.1 - - [30/Dec/2021 10:03:31] "HEAD / HTTP/1.1" 200 -
127.0.0.1 - - [30/Dec/2021 10:03:31] "GET / HTTP/1.1" 200 -

Impact

External attackers can port scan and map the internal network. They can also escalate the impact of SSRF to disclose videos stored on webservers on the internal network. For example, if a sensitive file is stored in another server http://192.168.0.1/video.mp4, they can input that URL to reveal the video present.

Recommended Fix

The https://www.npmjs.com/package/ipaddr.js/v/1.1.0 package can be used to determine if an IP address is public or private instead of trying to catch all possible private IP addresses.

var ipAddr = require('ipaddr.js')

// BAD
console.log(ipAddr.parse("127.0.0.1").range())
console.log(ipAddr.parse("192.168.0.1").range())
console.log(ipAddr.parse("::ffff:7f00:2").range())
console.log(ipAddr.parse("fd12:3456:789a:1::1").range())

// GOOD
console.log(ipAddr.parse("142.251.12.138").range())

unicast = good.

loopback
private
ipv4Mapped
uniqueLocal
unicast

References

We are processing your report and will contact the chocobozzz/peertube team within 24 hours. a month ago
haxatron modified their report
a month ago
haxatron
a month ago

Researcher


We have contacted a member of the chocobozzz/peertube team and are waiting to hear back a month ago
We have sent a follow up to the chocobozzz/peertube team. We will try again in 7 days. 25 days ago
chocobozzz validated this vulnerability 22 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
chocobozzz confirmed that a fix has been merged on 7b54a8 22 days ago
chocobozzz has been awarded the fix bounty
import.ts#L132L138 has been validated