GHSA-JHWW-FX2J-3RF7

Vulnerability from github – Published: 2023-11-02 20:53 – Updated: 2023-11-02 20:53
VLAI?
Summary
FoodCoopShop Server-Side Request Forgery vulnerability
Details

There is a potential SSRF vulnerability in foodcoopshop. Since there is no security policy on your Github, I tried to use the emails to contact you.

The potential issue is in the Network module, where a manufacturer account can use the /api/updateProducts.json endpoint to make the server send a request to arbitrary host. For example, use

data[data][0][remoteProductId]=352&data[data][0][image]=http://localhost:8888/

will make the server send a request to localhost:8888. This means that it can be used as a proxy into the internal network where the server is.

To make matters worse, the checks on valid image is not enough. There is time of check time of use issue there. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file at the redirect destination, making this a full SSRF. (An example python server that can do this is at https://pastebin.com/8K5Brwbq This will make the server download whatever at the redirect target)

You can check https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF, their impact and how to properly fix it.

Regards

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "foodcoopshop/foodcoopshop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-02T20:53:19Z",
    "nvd_published_at": "2023-11-02T15:15:08Z",
    "severity": "HIGH"
  },
  "details": "There is a potential SSRF vulnerability in foodcoopshop. Since there is no security policy on your Github, I tried to use the emails to contact you.\n\nThe potential issue is in the Network module, where a manufacturer account can use the /api/updateProducts.json endpoint to make the server send a request to arbitrary host.\nFor example, use\n```\ndata[data][0][remoteProductId]=352\u0026data[data][0][image]=http://localhost:8888/\n```\nwill make the server send a request to localhost:8888. This means that it can be used as a proxy into the internal network where the server is.\n\nTo make matters worse, the checks on valid image is not enough. There is time of check time of use issue there.\nFor example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file\nat the redirect destination, making this a full SSRF.\n(An example python server that can do this is at https://pastebin.com/8K5Brwbq This will make the server download whatever at the redirect target)\n\nYou can check https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF, their impact and how to properly fix it.\n\nRegards",
  "id": "GHSA-jhww-fx2j-3rf7",
  "modified": "2023-11-02T20:53:19Z",
  "published": "2023-11-02T20:53:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46725"
    },
    {
      "type": "WEB",
      "url": "https://github.com/foodcoopshop/foodcoopshop/pull/972"
    },
    {
      "type": "WEB",
      "url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/foodcoopshop/foodcoopshop"
    },
    {
      "type": "WEB",
      "url": "https://pastebin.com/8K5Brwbq"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FoodCoopShop Server-Side Request Forgery vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.