[SSRF] CVE-2023-27163

[lvitti]

Contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

https://nvd.nist.gov/vuln/detail/CVE-2023-27163

https://notes.sjtu.edu.cn/s/MUUhEymt7

https://github.com/entr0pie/CVE-2023-27163

[6abc]

any update on this ?

[ZanyMonk]

There's no decent protection for such feature. Even with every single suspicious URL filtered out, one could use a redirection to hit localhost anyways.

If we want to keep such feature (which i do), the only solution is to make it admin-only (ie. enter the master key). Same could go for the whole "Settings" tab imho.

[darklynx]

Thank you @ZanyMonk , that is true, its quite complicated to implement a protection within a service, its a way easier to sandbox the service itself with a properly defined firewall rules. One of the options: separate project on the cloud provider, another use containers like Docker, LXC, etc with properly isolated network.

This issue was already discussed in this feature request: https://github.com/darklynx/request-baskets/issues/79#issuecomment-1586379590

Nevertheless, my plan is to introduce a command line parameter for the service that enables forwarding, so, the feature would be disabled by default. This should at least solve a problem: anyone w/o real understanding of the security implications running Request Baskets service with default settings w/o proper network isolation and therefore opening a back door to their internal network infrastructure.