PartKeepr icon indicating copy to clipboard operation
PartKeepr copied to clipboard
verified publisher icon partkeepr

The functionality add attachment to parts allows access to local ports (SSRF).

Open alestorm980 opened this issue 4 years ago • 1 comments

Bug description

In PartKeepr before v1.4.0, the functionality to upload attachments using a URL when creating a part, does not validate that requests can be send to local ports, allowing SSRF attacks and port enumeration.

Steps to reproduce

  1. Go to 'Add Part'.
  2. Click on 'Attachments'.
  3. Click on 'Add'.
  4. Fill the 'URL' field with an url using a local port "http://127.0.0.1:3306".
  5. Click on the uploaded file in order to download the file and see the content.

Expected behavior

The application should not allow access to local ports.

Observed behavior

Local ports can be access inside the server.

Screenshots and files

ssrf

mysql_open_port

close_port

System Information

  • PartKeepr Version: v1.4.0 and v0.1.9
  • Operating System: Linux
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql
  • Reproducible on the demo system: Yes.

alestorm980 avatar Jan 04 '22 14:01 alestorm980

I attach the link to the advisory https://fluidattacks.com/advisories/joplin/

alestorm980 avatar Jan 06 '22 15:01 alestorm980