Headline
CVE-2023-46725: Merge pull request #972 from foodcoopshop/remotefile · foodcoopshop/foodcoopshop@0d5bec5
FoodCoopShop is open source software for food coops and local shops. Versions prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the /api/updateProducts.json
endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.
Expand Up @@ -88,19 +88,31 @@ public function testChangeImageValidImageAndDeleteImage()
public function testChangeImageInvalidImage() { $file = WWW_ROOT . '/css/global.css’; $productId = 346; $products = [ [$productId => Configure::read(‘App.fullBaseUrl’) . ‘/css/global.css’] [$productId => $file] ]; $exceptionThrown = false;
try { $this->Product->changeImage($products); } catch (InvalidParameterException $e) { $exceptionThrown = true; } catch (Exception $e) { $this->assertEquals('file is not an image: ' . $file, $e->getMessage()); } }
$this->assertSame(true, $exceptionThrown); public function testChangeImageInvalidDomain() { $productId = 346; $products = [ [$productId => ‘https://localhost:8080/img/tests/test-image.jpg’] ];
try { $this->Product->changeImage($products); } catch (Exception $e) { $this->assertEquals('invalid host’, $e->getMessage()); } }
public function testChangeImageNonExistingFile() Expand All @@ -113,7 +125,7 @@ public function testChangeImageNonExistingFile()
try { $this->Product->changeImage($products); } catch (InvalidParameterException $e) { } catch (Exception $e) { $exceptionThrown = true; }
Expand Down
Related news
There is a potential SSRF vulnerability in foodcoopshop. Since there is no security policy on your Github, I tried to use the emails to contact you. The potential issue is in the Network module, where a manufacturer account can use the /api/updateProducts.json endpoint to make the server send a request to arbitrary host. For example, use ``` data[data][0][remoteProductId]=352&data[data][0][image]=http://localhost:8888/ ``` will make the server send a request to localhost:8888. This means that it can be used as a proxy into the internal network where the server is. To make matters worse, the checks on valid image is not enough. There is time of check time of use issue there. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file at the redirect destination, making this a full SSRF. (An example python server that can do this ...