We received an e-mail from a security researcher bringing the issue mentioned below to our attention. I am not a security expert so I cannot tell you whether this is right or wrong. I forwarded this to Discourse support in February 2021 and have not received a response. I’d like to know:
- whether this issue is still a problem
- is there something I can do about it (settings, etc.)
#======================================================== Summary: A server-side request forgery vulnerability appears to leak a Number of internal IP address and tries to connect to an attacker-controlled host. Here, you can see that there is a misconfiguration of input validation that's why my instead of the original email address is not validating and received request on my burpsuit collaborator. Steps to reproduce: 1:First go to your website https://forum.remote.it/top/yearly 2:Signup successfully here 3:Go to create new topic 4:here you paste your server link POC: Find a Video attachment. You can also perform my steps to reproduce. (sorry, new users cannot upload attachments) It was attached to the e-mail I sent to support. Impact: This will allow attackers to gain access to an internal IP of the server which shows the http response from this server i.e The Collaborator server received an HTTP request. The Collaborator server received a DNS lookup of type A for the domain name [zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net](http://zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net). The lookup was received from IP address 188.8.131.52 at 2020-Dec-10 11:03:44 UTC. belongs to Company IP, you can validate on whois record. Server-Side Request Forgery, vulnerability can possess a great threat to modern-day web applications, as it can compromise the confidentiality of data. Mitigation: SSRF can be mitigated through proper URL or other user inputs sanitization. A developer could create a blacklist and restrict any user inputs matching the blacklist and also perform boundary checks.