Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSRF vulnerability in PartKeeper #1269

Closed
asesidaa opened this issue Nov 2, 2023 · 2 comments
Closed

SSRF vulnerability in PartKeeper #1269

asesidaa opened this issue Nov 2, 2023 · 2 comments
Labels
Bug needs-triage incoming, please sort

Comments

@asesidaa
Copy link

asesidaa commented Nov 2, 2023

Bug description

Since there is no security policy and I cannot find contact information to the developers, I have to use issue to report this.

There is an SSRF vulnerability in PartKeeper. The add attatchment through URL function does not have any restriction on the URL.

Steps to reproduce

  1. Go to Edit part->attatchments
  2. Add attatchments through URL
  3. Use file:///etc/passwd as URL
  4. Observe local file on server being loaded
  5. If on demo site, use http://169.254.169.254 as URL
  6. Observe the matadata being retrieved

Suggestion

Check this link for more information on SSRF
Check this link for more information on how to fix this. Basically you would need to make sure only http and https URLs are accepted, and requests to non public ip addresses are blocked.

System Information

  • PartKeepr Version: Latest commit
@asesidaa asesidaa added Bug needs-triage incoming, please sort labels Nov 2, 2023
@matmair
Copy link

matmair commented Nov 2, 2023

Considering #1059 you will probably not get a response or official recognition.

@Ki-er Ki-er mentioned this issue Nov 23, 2023
Closed
@Core2DuoKing
Copy link

Considering #1059 you will probably not get a response or official recognition.

Which is terrible. The PartKeepr demo online looks like it was incredibly well thought out and works nicely, I guess just keeping it air-gapped and using it as-is might be sufficient for some. But dang, for a free self-hosted open source inventory management software, it's surprisingly good.

@asesidaa asesidaa closed this as not planned Won't fix, can't repro, duplicate, stale Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug needs-triage incoming, please sort
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@asesidaa @matmair @Core2DuoKing