Summary
Serveral Server-Side Request Forgery (SSRF) vulnerability in the /proxy route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network.
Details
The URL from user input is not checked before sending server-side request:
|
fastify.get<IProxySchema>( |
|
'/proxy', |
|
{ schema: ProxySchema }, |
|
async (request, reply) => { |
|
const response = await axios.get(request.query.url); |
|
const mime: string | undefined = |
|
response.headers['content-type']?.toString(); |
|
const clen: string | undefined = |
|
response.headers['content-length']?.toString(); |
|
mime && reply.header('Content-Type', mime); |
|
clen && reply.header('Content-Length', Number(clen)); |
|
return reply.send(response.data); |
This allows SSRF attacks.
PoC
https://txt.artegoser.ru/proxy?url=http://localhost:8080
Impact
Remote attackers can retrieve information in the internal network.
Summary
Serveral Server-Side Request Forgery (SSRF) vulnerability in the
/proxyroute of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network.Details
The URL from user input is not checked before sending server-side request:
txtdot/src/routes/browser/proxy.ts
Lines 6 to 17 in a7fdaf8
This allows SSRF attacks.
PoC
https://txt.artegoser.ru/proxy?url=http://localhost:8080
Impact
Remote attackers can retrieve information in the internal network.