Server Side Request Forgery via location header in jgraph/drawio

Valid

Reported on

May 15th 2022


Description

It is possible to bypass current SSRF checks using a redirection via the location header.

Proof of Concept

1.) Mock a redirect endpoint using https://beeceptor.com/

2.) Add Location: http://localhost:1122as a response header and set the status code to 301

3.) Listen on port 1122

4.) Access the following resource: /proxy?url=http://<id>.free.beeceptor.com (http is important here)

5.) The request will be made to localhost:1122

From my understanding the code implements its own redirection handling by reading the location header and doing a new request. But this happens after setInstanceFollowRedirects is set to true. By setting it to true the connection will follow redirects automatically before any checks.

Impact

This vulnerability is capable of doing requests controlled by an attacker and leaking sensitive information to an attacker.

References

We are processing your report and will contact the jgraph/drawio team within 24 hours. a month ago
myxl modified the report
a month ago
myxl modified the report
a month ago
myxl modified the report
a month ago
myxl modified the report
a month ago
David Benson
a month ago

Maintainer


Hi, do you have a video showing the PoC attack working?

myxl
a month ago

Researcher


Hi, thanks for responding, I can record one if that's preferable, I'll get back to you soon!

David Benson
a month ago

Maintainer


Thanks. It's just for a critical we need to be absolutely sure it's scored correctly. A lot of users will have to update their source.

myxl
a month ago

Researcher


Here is the link to the video: https://streamable.com/5uhbks If the report gets verified I would like to delete the video again, for privacy reasons, if that's okay. The top terminal shows the output of the docker container, the left one a shell session inside the docker container and the right one a curl command to invoke to SSRF.

David Benson
a month ago

Maintainer


I've accepted this as critical, I don't think it's critical on reflection. I don't care about the bounty, but is it possible to re-score this @admin @jamieslome ?

Jamie Slome
a month ago

Admin


@davidjgraph - you are still able to re-score this using the Edit button at the top right of the report next to the severity.

Let me know if you are having any issues with this 👍

David Benson modified the Severity from Critical (9.3) to High (8.6) a month ago
David Benson modified the Severity from High (8.6) to High (7.5) a month ago
myxl
a month ago

Researcher


Seems good!

David Benson
a month ago

Maintainer


@myyxl , sorry, I posted that on the wrong issue. We are testing the setInstanceFollowRedirects behaviour to double check. If correct, a 7.5 is about right for such a SSRF.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability a month ago
myxl has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson
a month ago

Maintainer


18.0.7 release contains the fix, https://github.com/jgraph/drawio/commit/c63f3a04450f30798df47f9badbc74eb8a69fbdf

myxl
a month ago

Researcher


Looks good to me!

David Benson confirmed that a fix has been merged on c63f3a a month ago
The fix bounty has been dropped
to join this conversation