I found that the images url used a specific cdn to load images. However, it has not strict rules so anyone uploading images to that cdn will call it from your website.
Impact
Fund of users at risk via advanced phishing.
Risk Breakdown
External content injection.
Recommendation
Sanity host your images like this:
cdn.sanity.io/images/{projectID} so you should not accept request that doesn't match your sanity project ID.
Proof of concept
Visit this url:
https://www.sommelier.finance/_next/image? url=https://cdn.sanity.io/images/i45whj9n/production/1fec95882874dd7faee5cc03419bf67c12e87a66- 591x500.png&w=2048&q=100
And think what will happened if attacker create and release an URL look like that in your Discord server.
philipjames44
commented
1 year ago
Businesscase: Immunify Bug submit.
I found that the images url used a specific cdn to load images. However, it has not strict rules so anyone uploading images to that cdn will call it from your website.
Impact Fund of users at risk via advanced phishing.
Risk Breakdown External content injection.
Recommendation Sanity host your images like this: cdn.sanity.io/images/{projectID} so you should not accept request that doesn't match your sanity project ID.
Proof of concept Visit this url:
https://www.sommelier.finance/_next/image? url=https://cdn.sanity.io/images/i45whj9n/production/1fec95882874dd7faee5cc03419bf67c12e87a66- 591x500.png&w=2048&q=100And think what will happened if attacker create and release an URL look like that in your Discord server.