I have identified potential security vulnerabilities in this project.
I am committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to me.
If you are NOT the correct point of contact for this report, please let me know!
Summary
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems
Severity
High
Product
https://github.com/Meowv/Blog
Tested Version
Current master branch as of efa7a0c
Complexity
Easy
Attack Vector
Remote / External
Details
The url
parameter on the endpoint /api/meowv/tool/img
is vulnerable to SSRF. This can be exploited using a proof of concept similar to that shown below.
curl -i -s -k -X $'GET' \
-H $'Host: api.meowv.com' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Dnt: 1' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' \
$'https://api.meowv.com/api/meowv/tool/img?url=http://localhost:22'
Root Cause Analysis
This attack can be attributed to this vulnerable snippet
|
/// <summary> |
|
/// Get img by url |
|
/// </summary> |
|
/// <param name="url"></param> |
|
/// <returns></returns> |
|
[Route("api/meowv/tool/img")] |
|
public async Task<FileContentResult> GetImgAsync([Required] string url) |
|
{ |
|
using var client = _httpClient.CreateClient(); |
|
var bytes = await client.GetByteArrayAsync(url); |
|
|
|
return new FileContentResult(bytes, "image/jpeg"); |
|
} |
|
|
Here the external parameter url
is directly passed to the GetByteArrayAsync
call causing an SSRF.
Impact
An Adversary can carry out SSRF attack to scan the internal network, perform sensitive actions, download sensitive files like meta-data etc
Remediation
This can be avoided by testing untrusted input values against a trusted whitelist.
GitHub Security Advisories
If possible, please could you create a private GitHub Security Advisory for these findings? This allows you to invite me to collaborate and further discuss these findings in private before they are published. I will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered.
When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours, and the CVE details will be published after you make your security advisory public. Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can update to the fixed version.
This was found using CodeQL by Github