Server-side request forgery vulnerability

We received an e-mail from a security researcher bringing the issue mentioned below to our attention. I am not a security expert so I cannot tell you whether this is right or wrong. I forwarded this to Discourse support in February 2021 and have not received a response. I’d like to know:

  • whether this issue is still a problem
  • is there something I can do about it (settings, etc.)

Thanks,

Gary W.
remote.it support

#========================================================
Summary:
A server-side request forgery vulnerability appears to leak a Number of
internal IP address and tries to connect to an attacker-controlled host.

Here, you can see that there is a misconfiguration of input validation
that's why my instead of the original email address is not validating and
received request on my burpsuit collaborator.

Steps to reproduce:
1:First go to your website https://forum.remote.it/top/yearly
2:Signup successfully here
3:Go to create new topic
4:here you paste your server link

POC:
Find a Video attachment. You can also perform my steps to reproduce. (sorry, new users cannot upload attachments)  It was attached to the e-mail I sent to support.

Impact:
This will allow attackers to gain access to an internal IP of the server
which shows the http response from this server i.e The Collaborator server
received an HTTP request. The Collaborator server received a DNS
lookup of type A for the domain name
[zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net](http://zsvge3euks4arcd9nmrwa0dvamgc41.burpcollaborator.net). The lookup was
received from IP address 66.220.12.132 at 2020-Dec-10 11:03:44 UTC.
belongs to Company IP, you can validate on
whois record.
Server-Side Request Forgery, vulnerability can possess a great threat to
modern-day web applications, as it can compromise the confidentiality of
data.

Mitigation:
SSRF can be mitigated through proper URL or other user inputs sanitization.
A developer could create a blacklist and restrict any user inputs matching
the blacklist and also perform boundary checks.

It appears to be that what they’re talking about is our oneboxing functionality.

It’s not a vulnerability; it’s intended behaviour. If a URL is posted to a Discourse forum, an outbound request is done to attempt to retrieve metadata to construct a onebox.

This kind of report appears to be part of a low-effort scan of websites for generic “vulnerabilities” since they are not familiar with how the software they are testing works.

If they do have any findings we encourage them to submit them via our HackerOne program bug bounty program.

If you have any further concerns we’d be happy to address them.

I don’t have any record of messages from this email address but we’ll investigate to see why we didn’t receive it.

7 Likes

Thanks for the response. I’ve sent a link to this thread back to the person who reported the issue (or feature as the case may be) to us.

Cheers,

DL

3 Likes