Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CWE-918] Blind SSRF in /api/v1/comment #1677

Closed
jet-pentest opened this issue Oct 10, 2023 · 7 comments · Fixed by #1681
Closed

[CWE-918] Blind SSRF in /api/v1/comment #1677

jet-pentest opened this issue Oct 10, 2023 · 7 comments · Fixed by #1681
Milestone
v1.13.0

Comments

@jet-pentest
Copy link

Hi! I found an issue in remark42 engine.
When field "title" is missing in comment request and attacker send a malicious URL which is a part of locator struct on POST request to /api/v1/comment?site=<SITE_ID>, it leads to Blind SSRF vulnerability.
As example, malicious URL looks like this:
{"text":"qweqwe","locator":{"site":"remark","url":"https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com"}}
This malicious JSON in request to /api/v1/comment?site=<SITE_ID> leads to Blind SSRF
Снимок экрана 2023-10-10 в 11 59 07
As another way, malicious field "title", which should be fully cutted by sanitizer, also leads to blind SSRF.
paskal added a commit that referenced this issue Oct 10, 2023
@paskal
reproduce report of CWE-918 from #1677
e3d9f99
paskal added a commit that referenced this issue Oct 10, 2023
@paskal
reproduce report of CWE-918 from #1677
3c23d17
@paskal paskal mentioned this issue Oct 10, 2023
Merged
paskal added a commit that referenced this issue Oct 10, 2023
@paskal
reproduce report of CWE-918 from #1677
b25a56b
@paskal
Copy link
Collaborator

paskal commented Oct 10, 2023
edited
Loading

Thank you for the report!

As another way, malicious field "title", which should be fully cutted by sanitizer, also leads to blind SSRF.

Could you please clarify this point? Title is not sanitised now is sanitised except for some HTML tags like <b> and <a> but I don't understand how does it lead to blind SSRF.

umputun pushed a commit that referenced this issue Oct 10, 2023
@paskal @umputun
reproduce report of CWE-918 from #1677
10e4686
This was referenced Oct 10, 2023
Merged
Merged
@jet-pentest
Copy link
Author

Could you please clarify this point? Title is not sanitised now is sanitised except for some HTML tags like <b> and <a> but I don't understand how does it lead to blind SSRF.

@paskal Hi! In this case, a minimal payload that I was able to reproduce was: <script>alert();</script>. An sanitizer will fully clean "title" field.

@jet-pentest
Copy link
Author

Also, in my example, I was using a Burp Suite Collaborator as a part of Burp Suite. For development purposes, you may try to use it too. Another pay-free variant is http://webhook.site/. I hope it'll be helpful for you.

@paskal
Copy link
Collaborator

paskal commented Oct 10, 2023

What's the problem with <script>alert();</script> being converted to a empty title? It's not a vulnerability for sure.

@jet-pentest
Copy link
Author

What's the problem with <script>alert();</script> being converted to a empty title? It's not a vulnerability for sure.
@paskal
Sure, but SSRF with non empty title was not working. I was highlighted this, because not only removing title triggers SSRF. It's will be sanitizer's result of work. Also, it doesn't work, if you'll send empty title field due initial checks.

@jet-pentest
Copy link
Author

Thanks for fast resolve! You're the best:))

@paskal
Copy link
Collaborator

paskal commented Oct 12, 2023

@jet-pentest thanks for the report again! Please let us know if you would be able to reproduce anything else on https://remark42.com/demo/, that's very important information for us.

@paskal paskal mentioned this issue Nov 4, 2023
Merged
@paskal paskal added this to the v1.13.0 milestone Mar 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.13.0
Development

Successfully merging a pull request may close this issue.

Limit TitleExtractor to allow only Remark42 whitelisted domains umputun/remark42
2 participants
@paskal @jet-pentest