Summary
Serveral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks.
Details
/mastodon/acct/:acct/statuses/:only_media?
|
const acct = ctx.req.param('acct'); |
|
const only_media = ctx.req.param('only_media') ? 'true' : 'false'; |
|
|
|
const { site, account_id } = await utils.getAccountIdByAcct(acct); |
|
const site = mastodonConfig.apiHost || acctHost; |
|
const acctDomain = mastodonConfig.acctDomain || acctHost; |
|
if (!(site && acctDomain)) { |
|
throw new Error('Mastodon RSS is disabled due to the lack of <a href="https://docs.rsshub.app/en/install/#configuration-route-specific-configurations">relevant config</a>'); |
|
} |
|
|
|
const search_url = `https://${site}/api/v2/search`; |
|
const cacheUid = `mastodon_acct_id/${site}/${acct}`; |
|
|
|
const account_id = await cache.tryGet(cacheUid, async () => { |
|
const search_response = await got({ |
|
method: 'get', |
|
url: search_url, |
|
headers: { |
|
...(mastodonConfig.accessToken ? { Authorization: `Bearer ${mastodonConfig.accessToken}` } : {}), |
|
}, |
|
searchParams: { |
|
q: acct, |
|
type: 'accounts', |
|
}, |
|
}); |
/zjol/paper/:id?
|
const id = ctx.req.param('id') ?? 'zjrb'; |
|
const limit = ctx.req.query('limit') ? Number.parseInt(ctx.req.query('limit')) : 100; |
|
|
|
const query = id === 'jnyb' ? 'map[name="PagePicMap"] area' : 'ul.main-ed-articlenav-list li a'; |
|
|
|
const rootUrl = id === 'qjwb' ? 'http://qjwb.thehour.cn' : `https://${id}.zjol.com.cn`; |
|
let currentUrl = `${rootUrl}/paperindex.htm`; |
/m4/:id?/:category*
|
const { id = 'news', category = 'china' } = ctx.req.param(); |
|
const limit = ctx.req.query('limit') ? Number.parseInt(ctx.req.query('limit'), 10) : 30; |
|
|
|
const rootUrl = `http://${id}.m4.cn`; |
|
const currentUrl = new URL(category ? `/${category.replace(/\/$/, '')}/` : '/', rootUrl).href; |
PoC
Impact
The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to:
- Leak the server IP address, which could be hidden behind a CDN.
- Retrieve information in the internal network. e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages.
- DoS amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request:
https://rsshub.a.com/zjol/paper/rsshub.b.net%2Fzjol%2Fpaper%2Frsshub.a.com%252Fzjol%252Fpaper%252Frsshub.b.net%25252Fzjol%25252Fpaper%25252Frsshub.a.com%2525252Fzjol%2525252Fpaper%2525252Fexample.com%2525252523%25252523%252523%2523%23.
Summary
Serveral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks.
Details
/mastodon/acct/:acct/statuses/:only_media?RSSHub/lib/routes/mastodon/acct.js
Lines 4 to 7 in 5928c5d
RSSHub/lib/routes/mastodon/utils.js
Lines 85 to 105 in 5928c5d
/zjol/paper/:id?RSSHub/lib/routes/zjol/paper.js
Lines 7 to 13 in 172f6cf
/m4/:id?/:category*RSSHub/lib/routes/m4/index.js
Lines 10 to 14 in 172f6cf
PoC
Impact
The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to:
https://rsshub.a.com/zjol/paper/rsshub.b.net%2Fzjol%2Fpaper%2Frsshub.a.com%252Fzjol%252Fpaper%252Frsshub.b.net%25252Fzjol%25252Fpaper%25252Frsshub.a.com%2525252Fzjol%2525252Fpaper%2525252Fexample.com%2525252523%25252523%252523%2523%23.