Server-Side Request Forgery (SSRF) in erudika/scoold

Valid

Reported on

Aug 10th 2021


✍️ Description

Affected URL is vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

🕵️‍♂️ Proof of Concept

    @GetMapping({"", "/{id}/**"})
    public String get(@PathVariable(required = false) String id, HttpServletRequest req, Model model) {
        if (!utils.isAuthenticated(req) && StringUtils.isBlank(id)) {
            return "redirect:" + SIGNINLINK + "?returnto=" + PROFILELINK;
        }
        Profile authUser = utils.getAuthUser(req);
        Profile showUser;
        boolean isMyProfile;

        if (StringUtils.isBlank(id) || isMyid(authUser, Profile.id(id))) {
            //requested userid !exists or = my userid => show my profile
            showUser = authUser;
            isMyProfile = true;
        } else {
            showUser = utils.getParaClient().read(Profile.id(id));
            isMyProfile = isMyid(authUser, Profile.id(id));
        }

        if (showUser == null || !ParaObjectUtils.typesMatch(showUser)) {
            return "redirect:" + PROFILELINK;
        }
    @GetMapping({"", "/{id}/**"})
    public String get(@PathVariable(required = false) String id, HttpServletRequest req, Model model) {
        if (!utils.isAuthenticated(req) && StringUtils.isBlank(id)) {
            return "redirect:" + SIGNINLINK + "?returnto=" + PROFILELINK;
        }
        Profile authUser = utils.getAuthUser(req);
        Profile showUser;
        boolean isMyProfile;

        if (StringUtils.isBlank(id) || isMyid(authUser, Profile.id(id))) {
            //requested userid !exists or = my userid => show my profile
            showUser = authUser;
            isMyProfile = true;
        } else {
            showUser = utils.getParaClient().read(Profile.id(id));
            isMyProfile = isMyid(authUser, Profile.id(id));
        }

        if (showUser == null || !ParaObjectUtils.typesMatch(showUser)) {
            return "redirect:" + PROFILELINK;
        }

Poc vulnerable url

https://live.scoold.com/people/avatar?url=https://shdgrhj11vba558yg5quchg3kuqmeb.burpcollaborator.net

Poc image

https://drive.google.com/file/d/1PriQQ2LsMZy42225zvdx-pCU5kiPAjRM/view?usp=sharing/

💥 Impact

they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.

We have contacted a member of the erudika/scoold team and are waiting to hear back 4 months ago
Alex Bogdanovski validated this vulnerability 4 months ago
Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alex
3 months ago

Maintainer


Could you please post the POC image again. I can't open it.

Raptor
3 months ago

Researcher


yes sure

Raptor
3 months ago

Researcher


https://drive.google.com/file/d/1PriQQ2LsMZy42225zvdx-pCU5kiPAjRM/view?usp=drivesdk

Alex
3 months ago

Maintainer


Thanks a lot!

Raptor
3 months ago

Researcher


welcome

Alex Bogdanovski confirmed that a fix has been merged on 820664 3 months ago
Alex Bogdanovski has been awarded the fix bounty