Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qaHd3LWZ4MmotM3JmN84AA24t
FoodCoopShop Server-Side Request Forgery vulnerability
There is a potential SSRF vulnerability in foodcoopshop. Since there is no security policy on your Github, I tried to use the emails to contact you.
The potential issue is in the Network module, where a manufacturer account can use the /api/updateProducts.json endpoint to make the server send a request to arbitrary host.
For example, use
data[data][0][remoteProductId]=352&data[data][0][image]=http://localhost:8888/
will make the server send a request to localhost:8888. This means that it can be used as a proxy into the internal network where the server is.
To make matters worse, the checks on valid image is not enough. There is time of check time of use issue there.
For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file
at the redirect destination, making this a full SSRF.
(An example python server that can do this is at https://pastebin.com/8K5Brwbq This will make the server download whatever at the redirect target)
You can check https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on SSRF, their impact and how to properly fix it.
Regards
Permalink: https://github.com/advisories/GHSA-jhww-fx2j-3rf7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qaHd3LWZ4MmotM3JmN84AA24t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-jhww-fx2j-3rf7, CVE-2023-46725
References:
- https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7
- https://nvd.nist.gov/vuln/detail/CVE-2023-46725
- https://github.com/foodcoopshop/foodcoopshop/pull/972
- https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808
- https://pastebin.com/8K5Brwbq
- https://github.com/advisories/GHSA-jhww-fx2j-3rf7
Blast Radius: 1.0
Affected Packages
packagist:foodcoopshop/foodcoopshop
Dependent packages: 0Dependent repositories: 0
Downloads: 737 total
Affected Version Ranges: >= 3.2.0, < 3.6.1
Fixed in: 3.6.1
All affected versions: 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.6.0
All unaffected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.1, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.6.1, 3.6.2, 4.0.0