cPanel-host SSRF via userinfo-injection (evil.com@127.0.0.1) #126
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
jesse-a/OpenCRM#126
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: HIGH
normalizeHost()insrc/app/actions/wordpress-cpanel.tsdeed string-replaces op de raw input om protocol/path/port te strippen, daarnarejectInternalTarget()op de overgebleven string. Een input alsevil.com@127.0.0.1passeerde alle checks (geen IP-literal, geen localhost, geen interne TLD).Maar
cpanelUapi()deed daarnanew URL(https://${auth.host}:${auth.port}/...)— de URL-spec parseertevil.com@127.0.0.1:2083alsuserinfo=evil.com+hostname=127.0.0.1. Eindresultaat: outbound fetch naar loopback met cPanel-API-token in de Authorization-header.Fix: nieuwe
safeHostnameFromInput()insrc/lib/url-security.ts. Parseert de input vianew URL(), weigert URLs met userinfo (u.username || u.password), en retourneert puuru.hostname— de échte target zoals fetch 'm zou interpreteren.normalizeHost()leunt nu hierop.Files: src/lib/url-security.ts, src/app/actions/wordpress-cpanel.ts
Opgelost in commit
de87b11.