search

cozy / cozy-stack

Simple, Versatile, Yours
https://docs.cozy.io/en/cozy-stack/
GNU Affero General Public License v3.0
1.13k stars 137 forks source link

SafeControl Controller is not checking all Internal URLs #4380

Closed aydinnyunus closed 5 months ago

aydinnyunus commented 5 months ago

Hi Team,

I found SSRF Vulnerability on Cozy-Stack Package. Also you can use ::1 IPV6 version to bypass it.

You can find the POC on the following Playground link. The IsPrivate function did not check all of the internal URLs. So you can use IsLinkLocalUnicast, IsLinkLocalMulticast, IsLoopback functions to do that.

Impact

169.254.169.254 is one of the AWS Metadata Server IP address and it should not be accessed by the external users. But If a web server uses the isPrivate function it can be bypassed.

nono commented 5 months ago

Hello,

thanks for the issue.

For ::1, it is allowed only for development, not in production. Cf https://github.com/cozy/cozy-stack/blob/master/pkg/safehttp/client.go#L84-L93

For 169.254.168.254 (and other link-local addresses), a fix is coming.

aydinnyunus commented 5 months ago

Hi again,

I mean if it is not in development mode. IsPrivate function returns it is not private in IPV6.

image
nono commented 5 months ago

Yes, that's why we are using IsLoopback to block ::1 in production.