Blind SSRF on the RSS Feed in glpi-project/glpi

Valid

Reported on

Jul 18th 2022


A normal user can add an RSS Feed with an internal URL which could lead to a blind SSRF issue by using local URLs.

Impact

Since this is a blind SSRF, it is not possible to read the response of HTTP requests. However this vulnerability can be used for reconnaissance or it can be used to craft server requests.

Proof Of Concept

  • Run an internal http server on port X
  • Put an internal URL such as "gopher://127.0.0.1:X"
  • Save the RSS Feed Item
  • Check the Content tab
We are processing your report and will contact the glpi-project/glpi team within 24 hours. 2 months ago
Seif-Allah Homrani modified the report
2 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 months ago
glpi-project/glpi maintainer modified the Severity from High to Low 2 months ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the glpi-project/glpi team. We will try again in 10 days. 2 months ago
We have sent a third and final follow up to the glpi-project/glpi team. This report is now considered stale. a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
glpi-project/glpi maintainer validated this vulnerability 15 days ago
Seif-Allah Homrani has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
glpi-project/glpi maintainer
15 days ago

See https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv

We have sent a fix follow up to the glpi-project/glpi team. We will try again in 7 days. 12 days ago
Seif-Allah
7 days ago

Researcher


Hi @admin, can you please assign CVE-2022-36112 to this bug ?

We have sent a second fix follow up to the glpi-project/glpi team. We will try again in 10 days. 5 days ago
glpi-project/glpi maintainer confirmed that a fix has been merged on ad66d6 4 days ago
The fix bounty has been dropped
Jamie Slome
3 days ago

Admin


Sorted :)

to join this conversation