Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an insertDocument
API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.
Patches
An update to the followRedirect
method in the PresentationUrlDownloadService
has been made to validate all URLs to be used for presentation download. Two new properties presentationDownloadSupportedProtocols
and presentationDownloadBlockedHosts
have also been added to bigbluebutton.properties
to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to insertDocument
must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses.
Patch on BigBlueButton 2.6.9: #18045
Patch on BigBlueButton 2.5.18 #18052
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
We received two independent reports about the same vulnerability vector.
-
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
-
We thank Germany‘s Federal Office for Information Security ( bsi.bund.de ) who contacted us and responsibly disclosed this vulnerability. This finding is a result of a project part of their Information Security initiative.
Impact
Server-Side Request Forgery (SSRF) is an attack where a malicious actor can abuse an application's functionality to read or modify internal resources. This is typically accomplished by supplying a URL to the server, which the server will then interact with. In an
insertDocument
API request an admin that knows the API Secret Salt is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first.Patches
An update to the
followRedirect
method in thePresentationUrlDownloadService
has been made to validate all URLs to be used for presentation download. Two new propertiespresentationDownloadSupportedProtocols
andpresentationDownloadBlockedHosts
have also been added tobigbluebutton.properties
to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed toinsertDocument
must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses.Patch on BigBlueButton 2.6.9: #18045
Patch on BigBlueButton 2.5.18 #18052
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
We received two independent reports about the same vulnerability vector.
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
We thank Germany‘s Federal Office for Information Security ( bsi.bund.de ) who contacted us and responsibly disclosed this vulnerability. This finding is a result of a project part of their Information Security initiative.