New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The ssrf vulnerability exists in the system. #402
Comments
|
The hacker who can config the workflow, I think he can just use telnet command to find the open ports |
@blackholll The Intranet port cannot be obtained through telnet, for example, 192.168.x. x, which is in the same network segment as the system. External telnet cannot reach this port, but the system host can send payload to the Intranet machine through system vulnerabilities. |
|
That make sense for SaaS situation. |
|
A new configure item "HOOK_HOST_ALLOWED" added in r2.0.16. |
ISSUE TEMPLATE
使用的版本:
r2.0.14
问题详细描述:
The ssrf vulnerability exists in the system.
After the admin logged in, Create a new workflow, set the participant type to hook, and set the participant's hook_url parameter to the Intranet address. Example: {" hook_url ":" http://127.0.0.1:8000/ ", "hook_token" : "111", "wait" : false, "extra_info" : "111"}

Select the workflow we created in the new build order



Viewing the operation history about the work order, the system is Expecting "line 1 column 1 (char 0)".
When the accessed port is closed, Connection refused is refused, for example, HTTPConnectionPool(host='127.0.0.1', port=8808): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f1ad48cc048>: Failed to establish a new connection: [Errno 111] Connection refused',))"
In this way, we can judge whether the port on the Intranet is open according to different errors.
For example, if I write "hook_url" to http://127.0.0.1:6379, there will be an error: "('Connection aborted.', RemoteDisconnected('Remote end closed connection without response',))", so that you can determine that redis services exist on the Intranet.
In addition, packets can be sent to Intranet services through this function, causing dos attacks.
The cause of the leak:

There are no restrictions on the request address
The text was updated successfully, but these errors were encountered: