-
-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server Side Request Forgery (SSRF) #7
Comments
I've read few articles about how to try to fix that, like this one: http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-3.html
|
Note that the IP address blacklist must happen after resolving domain names. DNS checking can be tricky since you must assume that the attacker controls the DNS and can return a different IP when you check and when you use it again for doing the request (TOCTOU). The blacklist should contain much more than just 127.* and localhost. Consider other local addresses (link-local, LAN, …) and IPv6. Happy to look at your patch and attempt to bypass, if that helps. |
About your first point, should I think I can grab some good stuff from https://github.com/fin1te/safecurl Like these local addresses:
|
Maybe you can just use safecurl completely instead of curl? It has a good security track record! |
Yeah, that could be a good idea but I'm not using cURL directly I'm using Guzzle. I need to check how can I use them together. |
Security is never easy ;-) |
I don't think I'll need to created a fork, maybe a simple PR to SafeCurl should be enough since Guzzle v6 add ability to define a different handler: https://github.com/guzzle/guzzle/blob/master/src/Handler/CurlHandler.php I just need to create a custom one for SafeCurl. |
As reported with wallabag, graby is vulnerable to SSRF. This means one can bypass restrictions for resources only accessible to localhost like
http://127.0.0.1/server-status
,The text was updated successfully, but these errors were encountered: