search

streamlit / streamlit

Streamlit — A faster way to build and share data apps.
https://streamlit.io
Apache License 2.0
35.78k stars 3.1k forks source link

INTERNAL IP LEAKED #9154

Closed omk4r72 closed 3 months ago

omk4r72 commented 3 months ago

Checklist

Summary

INTERNAL IP LEAKED :))))

Reproducible Code Example

<!doctype html><html lang="en"><head><meta charset="UTF-8"/><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"/><link rel="shortcut icon" href="./favicon.png"/><title>Streamlit</title><script src="./vendor/viz/viz-1.8.0.min.js" type="javascript/worker"></script><script src="./vendor/bokeh/bokeh-2.4.1.min.js"></script><script src="./vendor/bokeh/bokeh-widgets-2.4.1.min.js"></script><script src="./vendor/bokeh/bokeh-tables-2.4.1.min.js"></script><script src="./vendor/bokeh/bokeh-api-2.4.1.min.js"></script><script src="./vendor/bokeh/bokeh-gl-2.4.1.min.js"></script><script src="./vendor/bokeh/bokeh-mathjax-2.4.1.min.js"></script><link href="./static/css/5.71be5c0a.chunk.css" rel="stylesheet"><link href="./static/css/main.b46f6fce.chunk.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><script>!function(e){function t(t){for(var c,n,o=t[0],a=t[1],u=t[2],i=0,s=[];i<o.length;i++)n=o[i],Object.prototype.hasOwnProperty.call(f,n)&&f[n]&&s.push(f[n][0]),f[n]=0;for(c in a)Object.prototype.hasOwnProperty.call(a,c)&&(e[c]=a[c]);for(l&&l(t);s.length;)s.shift()();return d.push.apply(d,u||[]),r()}function r(){for(var e,t=0;t<d.length;t++){for(var r=d[t],c=!0,n=1;n<r.length;n++){var a=r[n];0!==f[a]&&(c=!1)}c&&(d.splice(t--,1),e=o(o.s=r[0]))}return e}var c={},n={4:0},f={4:0},d=[];function o(t){if(c[t])return c[t].exports;var r=c[t]={i:t,l:!1,exports:{}};return e[t].call(r.exports,r,r.exports,o),r.l=!0,r.exports}o.e=function(e){var t=[];n[e]?t.push(n[e]):0!==n[e]&&{6:1}[e]&&t.push(n[e]=new Promise((function(t,r){for(var c="static/css/"+({}[e]||e)+"."+{0:"31d6cfe0",1:"31d6cfe0",2:"31d6cfe0",6:"f5138d60",7:"31d6cfe0",8:"31d6cfe0",9:"31d6cfe0",10:"31d6cfe0",11:"31d6cfe0",12:"31d6cfe0",13:"31d6cfe0",14:"31d6cfe0",15:"31d6cfe0",16:"31d6cfe0",17:"31d6cfe0",18:"31d6cfe0",19:"31d6cfe0",20:"31d6cfe0",21:"31d6cfe0",22:"31d6cfe0",23:"31d6cfe0",24:"31d6cfe0",25:"31d6cfe0",26:"31d6cfe0",27:"31d6cfe0",28:"31d6cfe0",29:"31d6cfe0",30:"31d6cfe0",31:"31d6cfe0",32:"31d6cfe0",33:"31d6cfe0",34:"31d6cfe0",35:"31d6cfe0",36:"31d6cfe0",37:"31d6cfe0",38:"31d6cfe0",39:"31d6cfe0",40:"31d6cfe0",41:"31d6cfe0",42:"31d6cfe0",43:"31d6cfe0",44:"31d6cfe0",45:"31d6cfe0",46:"31d6cfe0",47:"31d6cfe0"}[e]+".chunk.css",f=o.p+c,d=document.getElementsByTagName("link"),a=0;a<d.length;a++){var u=(l=d[a]).getAttribute("data-href")||l.getAttribute("href");if("stylesheet"===l.rel&&(u===c||u===f))return t()}var i=document.getElementsByTagName("style");for(a=0;a<i.length;a++){var l;if((u=(l=i[a]).getAttribute("data-href"))===c||u===f)return t()}var s=document.createElement("link");s.rel="stylesheet",s.type="text/css",s.onload=t,s.onerror=function(t){var c=t&&t.target&&t.target.src||f,d=new Error("Loading CSS chunk "+e+" failed.\n("+c+")");d.code="CSS_CHUNK_LOAD_FAILED",d.request=c,delete n[e],s.parentNode.removeChild(s),r(d)},s.href=f,document.getElementsByTagName("head")[0].appendChild(s)})).then((function(){n[e]=0})));var r=f[e];if(0!==r)if(r)t.push(r[2]);else{var c=new Promise((function(t,c){r=f[e]=[t,c]}));t.push(r[2]=c);var d,a=document.createElement("script");a.charset="utf-8",a.timeout=120,o.nc&&a.setAttribute("nonce",o.nc),a.src=function(e){return o.p+"static/js/"+({}[e]||e)+"."+{0:"ef7179b6",1:"ea083f70",2:"0814613e",6:"fb896514",7:"a6db62e9",8:"1d990c70",9:"b5b265f7",10:"d2cd45a6",11:"a36d3f16",12:"f0ddb2c7",13:"9142a513",14:"4d84a801",15:"b61c8d5b",16:"ff784cb4",17:"6db121fe",18:"ab9c4fb3",19:"043576b8",20:"4abf2fb8",21:"769edc45",22:"d4351be2",23:"08ec44e5",24:"43c227be",25:"29d7e67c",26:"863c29d4",27:"b4f335bf",28:"00d19381",29:"c3c952bf",30:"49c473d5",31:"4af97f56",32:"9559ed87",33:"a2ce6fbb",34:"1e212433",35:"b59c5077",36:"99569331",37:"7ef44d13",38:"62c81bdf",39:"1f72212f",40:"9ed83ae7",41:"b9c54715",42:"8c4d632a",43:"01ad2d0e",44:"06630483",45:"5041f7ee",46:"c256aff5",47:"1612ef69"}[e]+".chunk.js"}(e);var u=new Error;d=function(t){a.onerror=a.onload=null,clearTimeout(i);var r=f[e];if(0!==r){if(r){var c=t&&("load"===t.type?"missing":t.type),n=t&&t.target&&t.target.src;u.message="Loading chunk "+e+" failed.\n("+c+": "+n+")",u.name="ChunkLoadError",u.type=c,u.request=n,r[1](u)}f[e]=void 0}};var i=setTimeout((function(){d({type:"timeout",target:a})}),12e4);a.onerror=a.onload=d,document.head.appendChild(a)}return Promise.all(t)},o.m=e,o.c=c,o.d=function(e,t,r){o.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:r})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var r=Object.create(null);if(o.r(r),Object.defineProperty(r,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var c in e)o.d(r,c,function(t){return e[t]}.bind(null,c));return r},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="./",o.oe=function(e){throw console.error(e),e};var a=this["webpackJsonpstreamlit-browser"]=this["webpackJsonpstreamlit-browser"]||[],u=a.push.bind(a);a.push=t,a=a.slice();for(var i=0;i<a.length;i++)t(a[i]);var l=u;r()}([])</script><script src="./static/js/5.df97478a.chunk.js"></script><script src="./static/js/main.468e22f6.chunk.js"></script></body></html>

Steps To Reproduce

FOR THE FINDING THE BUG I DORK THE SOME SUBDOMAIN BRUTEFORCE THE DOMAIN AND GET THE INTERNAL IP FORM THE SHODAN AND TRY TO DOS ATTACK ON THE IP SO SUCCESSFULLY DOS ATTACK ON THE INTERNAL IP OF THE DOMAIN

Expected Behavior

ATTACKER CAN DOS THIS INTERNAL IP AND DOWN THE SERVER OF THE DOMAIN

Current Behavior

CAN LEAKED THE IINTERNAL IP Screenshot 2024-07-27 115812

Is this a regression?

Debug info

Additional Information

NO "))))

github-actions[bot] commented 3 months ago

If this issue affects you, please react with a 👍 (thumbs up emoji) to the initial post.

Your feedback helps us prioritize which bugs to investigate and address first.

Visits

lukasmasuch commented 3 months ago

@omk4r72 Thanks for reporting this. Unfortunately, I wasn't able to fully understand the description and reproduce this case. Are you referring to an app deployed on Community Cloud or apps in general?

omk4r72 commented 3 months ago

STEP -----------------------STEP 1) FIRST I WILL DORK THE SUBDOMAIN 2) GREP THE IP FROM THE SHODAN 3) CHECK THE PORT OF THE FILTERED IP 4) AND PERFORM THE DOS ATTACK & CHECK THE MAIN DOMAIN

jokester commented 3 months ago

the title is scary but I need a translator

jokester commented 3 months ago

If the problem is about some WebRTC-based image application, I'd say it's more or less expected. Connecting via "real" IP of peers is how WebRTC works.

lukasmasuch commented 3 months ago

We looked into this issue more closely but couldn't find any trace of core Streamlit or Community Cloud exposing an internal IP. It could be related to some external dependency (e.g., webrtc) or some misconfiguration of the instance on which the app is deployed, but that is outside of our control. If you have any other relevant information, please share it here.