Proxy gives access internal server(s)

jolav / codetabs

Free Online Services. Github/GitLab star history. Count Lines of Code. CORS proxy server. IP GeoLocation. HTTP Headers. Random Data. Api weather temp. Alexa ranking.

https://codetabs.com

BSD 3-Clause "New" or "Revised" License

238 stars 32 forks source link

Proxy gives access internal server(s) #24

Closed grumpinout1 closed 1 year ago

grumpinout1 commented 1 year ago

Hi,

I was checking out a project that makes use of the CORS proxy, and noticed that I was able to access the internal server, which should not be possible.

The following URL shows the default Nginx page of your server: https://api.codetabs.com/v1/proxy?quest=http://localhost. This introduces a security risk if a hacker brute forces directories to find hidden endpoints.

Happy new year and kind regards

Grumpinout

grumpinout1 commented 1 year ago

Implementing https://github.com/doyensec/safeurl should protect you against any attacks

jolav commented 1 year ago

Thanks a lot for the feed. Really clever. I never thought of that possibility.

jolav commented 1 year ago

v0.7.20 fixes this