Infogram: Server Side Request Forgery on JSON Feed

2017-10-19T14:22:14
ID H1:280511
Type hackerone
Reporter mr_r3boot
Modified 2017-12-06T10:18:15

Description

Hi Team, I would like to report SSRF issue.

PoC:

  1. Navigate to https://infogram.com/app/[user-project].
  2. Click on edit logo fields and click on add JSON Data.
  3. Enter [url][openport] response is Download failed
  4. Enter [url][closedport] response is Invalid data source

Fix:

Don't give permission to port related connections or use single error message.

Regards, Mr.R3boot.