Server-side Request Forgery in OpenID support
Bug #1808720 reported by
François Marier
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Fix Released
|
High
|
François Marier |
Bug Description
OpenID support in Libravatar (adding an OpenID to an account, as well as logging in) allows users to trigger an arbitrary HTTP GET request from the server. This includes localhost URLs for example.
https:/
We should implement the following mitigations:
- filter out "localhost" and its variants (127.0.0.1, ::1, etc.)
- enforce that the scheme is HTTP or HTTPS
- disable non-standard ports (look to see if anybody is using one)
- ensure internal services (postgres, pgbouncer, gearman) are either not listening on the network or have authentication
Changed in libravatar: | |
status: | Confirmed → Fix Released |
information type: | Private Security → Public Security |
To post a comment you must log in.
Filtering out is quite tricky because it will probably miss two kinds of things:
- a hostname which resolves to a local address
- a remote URL which redirects to a local address
The best option is probably to setup an HTTP proxy without access to local resources and then force all OpenID requests through it.