New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server-side request forgery (SSRF) vulnerability in OpenID sign in #4973

Closed
cezar97 opened this Issue Sep 21, 2018 · 1 comment

Comments

3 participants
@cezar97
Copy link

cezar97 commented Sep 21, 2018

Another SSRF issue ( the others reported on Gogs repository ).

Affected URL: https://try.gitea.io/user/login/openid

Payload as OpenID URI: http://127.0.0.1:22/

Response: ... "SSH-2.0-OpenSSH_7.5"

It's less severe than the one in the webhooks because in the case of a web server it doesn't show the full HTTP response body and headers, just that the openid2.provider isn't found.
It still shows servers signatures for non HTTP servers, for example for SSH, showed above.

@zeripath

This comment has been minimized.

Copy link
Contributor

zeripath commented Jan 11, 2019

OK, so this issue can be mitigated somewhat through the use of WHITELISTED_URIS and BLACKLISTED_URIS within the openid section of the app.ini. However, I've placed PR to hide the error and just display a generic error instead.

zeripath added a commit to zeripath/gitea that referenced this issue Jan 11, 2019

Do not display the raw OpenID error in the UI
If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

techknowlogick added a commit that referenced this issue Jan 12, 2019

Do not display the raw OpenID error in the UI (#5705)
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update auth_openid.go

Place error log within the `err != nil` branch.

zeripath added a commit to zeripath/gitea that referenced this issue Jan 13, 2019

Do not display the raw OpenID error in the UI (go-gitea#5705)
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix go-gitea#4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update auth_openid.go

Place error log within the `err != nil` branch.

techknowlogick added a commit that referenced this issue Jan 13, 2019

Do not display the raw OpenID error in the UI (#5705) (#5712)
* Do not display the raw OpenID error in the UI

If there are no `WHITELIST_URIS` or `BLACKLIST_URIS` set in the openid
section of the app.ini, it is possible that gitea can leak sensitive
information about the local network through the error provided by the
UI. This PR hides the error information and logs it.

Fix #4973

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update auth_openid.go

Place error log within the `err != nil` branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment