Overview
A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints.
Details
Improper handling of filtered request types
While requests that were not GET/HEAD received a reply 405 Method not allowed
response, an outgoing request was still being improperly performed.
sequenceDiagram
Client->>GoCamo: POST /<image url>/<hmac>
GoCamo->>Client: 405 Method not allowed
GoCamo->>Host: POST <image url>
This behavior could have been used for a blind SSRF if an attacker managed to bypass the IP blacklist functionality (see next issue).
No validation of redirects with regard to blacklists/whitelists
Redirect URLs were not being validated against the blacklists/whitelists.
This meant that redirects such as these were being followed:
HTTP/1.1 307 Temporary Redirect
Location: http://localhost:3333
...
In combination with the aforementioned improper request filtering, this allowed an attacker to send a request with arbitrary HTTP method to internal endpoints.
sequenceDiagram
Client->>GoCamo: POST /<image url>/<hmac>
GoCamo->>Client: 405 Method not allowed
GoCamo->>Host: POST <image url>
Host->>GoCamo: 307 Location: http://internal_ip:3333
GoCamo->>internal_ip: POST http://internal_ip:3333
Patches
Version 1.1.5 contains fixes for the issues.
Workarounds
Improper handling of filtered request types
No workaround. Upgrade to go-camo-1.1.5 recommended.
No validation of redirects with regard to blacklists/whitelists
Workaround: Disable redirect following
As a partial mitigation (prevent the second of the two issues), you can disable following redirects via --max-redirects=0.
Since blacklists/whitelists were still validated on the initial GoCamo request, disabling redirects (set max-redirects to 0) will disable all following of redirects.
References
Special thanks to @dappelt and GitLab for the findings and very clear reporting
of the issues.
For more information
If you have any questions or comments about this advisory:
dappelt Analyst
Overview
A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version 1.1.4 allows a remote attacker to perform HTTP requests to internal endpoints.
Details
Improper handling of filtered request types
While requests that were not GET/HEAD received a reply 405 Method not allowed
response, an outgoing request was still being improperly performed.
This behavior could have been used for a blind SSRF if an attacker managed to bypass the IP blacklist functionality (see next issue).
No validation of redirects with regard to blacklists/whitelists
Redirect URLs were not being validated against the blacklists/whitelists.
This meant that redirects such as these were being followed:
In combination with the aforementioned improper request filtering, this allowed an attacker to send a request with arbitrary HTTP method to internal endpoints.
Patches
Version 1.1.5 contains fixes for the issues.
Workarounds
No workaround. Upgrade to go-camo-1.1.5 recommended.
Workaround: Disable redirect following
As a partial mitigation (prevent the second of the two issues), you can disable following redirects via
--max-redirects=0.Since blacklists/whitelists were still validated on the initial GoCamo request, disabling redirects (set max-redirects to
0) will disable all following of redirects.References
Special thanks to @dappelt and GitLab for the findings and very clear reporting
of the issues.
For more information
If you have any questions or comments about this advisory: