We received an e-mail from a security researcher bringing the issue mentioned below to our attention. I am not a security expert so I cannot tell you whether this is right or wrong. I forwarded this to Discourse support in February 2021 and have not received a response. I’d like to know:
- whether this issue is still a problem
- is there something I can do about it (settings, etc.)
Thanks,
Gary W.
remote.it support
#========================================================
Summary:
A server-side request forgery vulnerability appears to leak a Number of
internal IP address and tries to connect to an attacker-controlled host.
Here, you can see that there is a misconfiguration of input validation
that's why my instead of the original email address is not validating and
received request on my burpsuit collaborator.
Steps to reproduce:
1:First go to your website https://forum.remote.it/top/yearly
2:Signup successfully here
3:Go to create new topic
4:here you paste your server link
POC:
Find a Video attachment. You can also perform my steps to reproduce. (sorry, new users cannot upload attachments) It was attached to the e-mail I sent to support.
Impact:
This will allow attackers to gain access to an internal IP of the server
which shows the http response from this server i.e The Collaborator server
received an HTTP request. The Collaborator server received a DNS
lookup of type A for the domain name
[zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net](http://zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net). The lookup was
received from IP address 66.220.12.132 at 2020-Dec-10 11:03:44 UTC.
belongs to Company IP, you can validate on
whois record.
Server-Side Request Forgery, vulnerability can possess a great threat to
modern-day web applications, as it can compromise the confidentiality of
data.
Mitigation:
SSRF can be mitigated through proper URL or other user inputs sanitization.
A developer could create a blacklist and restrict any user inputs matching
the blacklist and also perform boundary checks.