We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Server-Side Request Forgery (SSRF) in erudika/scoold

Valid

Reported on

Aug 10th 2021

✍️ Description

Affected URL is vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

🕵️‍♂️ Proof of Concept

    @GetMapping({"", "/{id}/**"})
    public String get(@PathVariable(required = false) String id, HttpServletRequest req, Model model) {
        if (!utils.isAuthenticated(req) && StringUtils.isBlank(id)) {
            return "redirect:" + SIGNINLINK + "?returnto=" + PROFILELINK;
        }
        Profile authUser = utils.getAuthUser(req);
        Profile showUser;
        boolean isMyProfile;

        if (StringUtils.isBlank(id) || isMyid(authUser, Profile.id(id))) {
            //requested userid !exists or = my userid => show my profile
            showUser = authUser;
            isMyProfile = true;
        } else {
            showUser = utils.getParaClient().read(Profile.id(id));
            isMyProfile = isMyid(authUser, Profile.id(id));
        }

        if (showUser == null || !ParaObjectUtils.typesMatch(showUser)) {
            return "redirect:" + PROFILELINK;
        }
    @GetMapping({"", "/{id}/**"})
    public String get(@PathVariable(required = false) String id, HttpServletRequest req, Model model) {
        if (!utils.isAuthenticated(req) && StringUtils.isBlank(id)) {
            return "redirect:" + SIGNINLINK + "?returnto=" + PROFILELINK;
        }
        Profile authUser = utils.getAuthUser(req);
        Profile showUser;
        boolean isMyProfile;

        if (StringUtils.isBlank(id) || isMyid(authUser, Profile.id(id))) {
            //requested userid !exists or = my userid => show my profile
            showUser = authUser;
            isMyProfile = true;
        } else {
            showUser = utils.getParaClient().read(Profile.id(id));
            isMyProfile = isMyid(authUser, Profile.id(id));
        }

        if (showUser == null || !ParaObjectUtils.typesMatch(showUser)) {
            return "redirect:" + PROFILELINK;
        }

Poc vulnerable url

https://live.scoold.com/people/avatar?url=https://shdgrhj11vba558yg5quchg3kuqmeb.burpcollaborator.net

Poc image

https://drive.google.com/file/d/1PriQQ2LsMZy42225zvdx-pCU5kiPAjRM/view?usp=sharing/

💥 Impact

they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

We have contacted a member of the erudika/scoold team and are waiting to hear back 2 years ago
Alex Bogdanovski validated this vulnerability 2 years ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex
2 years ago

Maintainer

Could you please post the POC image again. I can't open it.

Raptor
2 years ago

Researcher

yes sure

Raptor
2 years ago

Researcher

https://drive.google.com/file/d/1PriQQ2LsMZy42225zvdx-pCU5kiPAjRM/view?usp=drivesdk

Alex
2 years ago

Maintainer

Thanks a lot!

Raptor
2 years ago

Researcher

welcome

Alex Bogdanovski marked this as fixed with commit 820664 2 years ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation