Server-Side Request Forgery (SSRF) in apostrophecms/apostrophe

Valid

Reported on

Aug 17th 2021


✍️ Description

Rendering Of SVG file causes SSRF

🕵️‍♂️ Proof of Concept

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<image height="200" width="200" xlink:href="http://<EXAMPLE_SERVER>/image.jpeg" />
</svg>

upload the svg file with the payload mentioned above [change server name] and preview it. then check the server for incoming request. <--------------------------------------------------------------------------------------------------------------------------------------->

💥 Impact

SSRF basic attack -> host redirect , further researches of this attack may leads to XXE

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back a year ago
Alex Bea validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tom Boutell
a year ago

Maintainer


This has been fixed by the core team in version 3.4.0.

Tom Boutell
a year ago

Maintainer


Thank you for reporting it.

Tom Boutell
a year ago

Maintainer


( I can't report this fixed via the menus because there's no provision there for a fix that was already released in the main branch and no longer exists in a separate branch. Here's a link to the code change though: https://github.com/apostrophecms/apostrophe/pull/3394 )

Tom Boutell
a year ago

Maintainer


Ah, I was able to confirm it fixed on another report.

Tom Boutell confirmed that a fix has been merged on c8b94e a year ago
Tom Boutell has been awarded the fix bounty
0x9x
a year ago

Nice! but the SVG files upload issue is already been fixed !?

Tom Boutell
a year ago

Maintainer


Yes, by me (I'm on the core team). If I double-claimed the bounty on another ticket somewhere then some admin should probably revoke one of them and that's fine — I'm just trying to keep folks updated on whether these issues are still in play.

Tom Boutell
a year ago

Maintainer


(Don't really care about the bounty personally or know what the policy is on that, just want it clear what's been fixed)

0x9x
a year ago

This report is a duplicate of another ! Link --> https://www.huntr.dev/bounties/418f3867-d3b3-4fc7-bcdf-400cf86e7123/

if i want to demonstrate it with an SSRF Scenario , i would do this .

Tom Boutell
a year ago

Maintainer


As stated on that ticket you linked to this has already been fixed. If you can still do it on our public demo please provide complete instructions to reproduce that here. Thank you.

to join this conversation