The functionality add attachment to parts allows access to local ports (SSRF). #1230

alestorm980 · 2022-01-04T14:31:21Z

Bug description

In PartKeepr before v1.4.0, the functionality to upload attachments using a URL when creating a part, does not validate that requests can be send to local ports, allowing SSRF attacks and port enumeration.

Steps to reproduce

Go to 'Add Part'.
Click on 'Attachments'.
Click on 'Add'.
Fill the 'URL' field with an url using a local port "http://127.0.0.1:3306".
Click on the uploaded file in order to download the file and see the content.

Expected behavior

The application should not allow access to local ports.

Observed behavior

Local ports can be access inside the server.

Screenshots and files

System Information

PartKeepr Version: v1.4.0 and v0.1.9
Operating System: Linux
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Reproducible on the demo system: Yes.

alestorm980 · 2022-01-06T15:19:55Z

I attach the link to the advisory https://fluidattacks.com/advisories/joplin/

alestorm980 added Bug needs-triage incoming, please sort labels Jan 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The functionality add attachment to parts allows access to local ports (SSRF). #1230

The functionality add attachment to parts allows access to local ports (SSRF). #1230

alestorm980 commented Jan 4, 2022

alestorm980 commented Jan 6, 2022

The functionality add attachment to parts allows access to local ports (SSRF). #1230

The functionality add attachment to parts allows access to local ports (SSRF). #1230

Comments

alestorm980 commented Jan 4, 2022

Bug description

Steps to reproduce

Expected behavior

Observed behavior

Screenshots and files

System Information

alestorm980 commented Jan 6, 2022