mythz
commented
2 years ago Hi Joel,
It looks like the issue is their proxy that allows proxying any URLs. Can you explain more about what the actual "feature" is that you've found? There's no feature built into ServiceStack that allows you return the contents of a user-defined URL like their /outside/proxy API does.
We do have a Proxy Feature Plugin but that only reverse proxies contents from static server-defined downstream sources. This must be a Custom proxy implementation they've specifically built themselves that returns the contents of user-defined URLs, any URL validation would need to be added in their custom implementation.
We would like to notify them of this issue, unfortunately we have no record postclickmarketing.com or rockcontent as customers. How were you made aware they used ServiceStack, do you know how to reach their developers?
joelboucher
I found an "feature" that allows me to pass URLs via the API. Take a platform that is using ServiceStack like this "ion" marketing platform -- https://dhl.postclickmarketing.com/Admin/Login?ReturnUrl=%2fadmin%2fdashboard
After trying a few things, I found that “http://2852039166/” works as a parameter in the URL ("http://2852039166/" is a bypass using a decimal IP location) And it gives me some access to the AWS instance where it is installed. So something like this.. https://dhl.postclickmarketing.com/Admin/api/outside/proxy/?url=http://2852039166/latest/dynamic/instance-identity/document or https://principalfunds.postclickmarketing.com/Admin/api/outside/proxy/?url=http://2852039166/2021-07-15/dynamic/instance-identity/signature
Using this URL, I can easily view server directories, read files, download AWS tokens, and other confidential information.