GitHub Security Lab (GHSL) Vulnerability Report, Medusa: GHSL-2023-201
The GitHub Security Lab team has identified potential security vulnerabilities in Medusa.
We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2023-201 as a reference).
If you are NOT the correct point of contact for this report, please let us know!
Summary
Medusa contains an unauthenticated blind server-side request forgery (SSRF).
Project
Medusa
Tested Version
1.0.17
Details
Issue 1: Blind SSRF in /home/testslack endpoint (GHSL-2023-201)
The testslack request handler in medusa/server/web/home/handler.py does not validate the user-controlled slack_webhook variable and passes it to the notifiers.slack_notifier.test_notify method, then _notify_slack and finally _send_slack method, which sends a POST request to the user-controlled URL on line 103 in /medusa/notifiers/slack.py, which leads to a blind server-side request forgery (SSRF).
def _send_slack(self, message=None, webhook=None):
"""Send the http request using the Slack webhook."""
webhook = webhook or app.SLACK_WEBHOOK
log.info('Sending slack message: {message}', {'message': message})
log.info('Sending slack message to url: {url}', {'url': webhook})
headers = {'Content-Type': 'application/json'}
data = {
'text': message,
'username': 'MedusaBot',
'icon_url': 'https://cdn.pymedusa.com/images/ico/favicon-310.png'
}
try:
r = requests.post(webhook, data=json.dumps(data), headers=headers)
r.raise_for_status()
except Exception:
log.exception('Error Sending Slack message')
return False
return TrueThis issue was found with the CodeQL query Full server-side request forgery.
Impact
This issue allows for crafting POST requests on behalf of the Medusa server.
Proof of Concept
- Start a simple python web server, f.ex. this one. This code will start a web server on
http://127.0.0.1:9000
- Start Medusa. We assume that it is running on
http://localhost:8081.
- Send the following request:
curl -X GET 'http://localhost:8081/home/testslack?slack_webhook=http://127.0.0.1:9000/'
Based on the response, we can infer if the request succeeded (returned HTTP status 2xx). If it did, we will receive a response:
Slack notification succeeded. Check your Slack channel to make sure it worked
If the request resulted in an error, it will raise an exception and we will receive:
Error sending Slack notification
Remediation
If possible, use an allowlist with allowed domains to limit the possibility to send POST requests on behalf of Medusa.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
These issues were discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-201 in any communication regarding these issues.
Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.
sylwia-budzynska Reporter
GitHub Security Lab (GHSL) Vulnerability Report, Medusa:
GHSL-2023-201The GitHub Security Lab team has identified potential security vulnerabilities in Medusa.
We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at
securitylab@github.com(please includeGHSL-2023-201as a reference).If you are NOT the correct point of contact for this report, please let us know!
Summary
Medusa contains an unauthenticated blind server-side request forgery (SSRF).
Project
Medusa
Tested Version
1.0.17
Details
Issue 1: Blind SSRF in
/home/testslackendpoint (GHSL-2023-201)The
testslackrequest handler inmedusa/server/web/home/handler.pydoes not validate the user-controlledslack_webhookvariable and passes it to thenotifiers.slack_notifier.test_notifymethod, then_notify_slackand finally_send_slackmethod, which sends a POST request to the user-controlled URL on line 103 in/medusa/notifiers/slack.py, which leads to a blind server-side request forgery (SSRF).This issue was found with the CodeQL query Full server-side request forgery.
Impact
This issue allows for crafting POST requests on behalf of the Medusa server.
Proof of Concept
http://127.0.0.1:9000http://localhost:8081.Based on the response, we can infer if the request succeeded (returned HTTP status 2xx). If it did, we will receive a response:
Slack notification succeeded. Check your Slack channel to make sure it workedIf the request resulted in an error, it will raise an exception and we will receive:
Error sending Slack notificationRemediation
If possible, use an allowlist with allowed domains to limit the possibility to send POST requests on behalf of Medusa.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.
Credit
These issues were discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at
securitylab@github.com, please include a reference toGHSL-2023-201in any communication regarding these issues.Disclosure Policy
This report is subject to a 90-day disclosure deadline, as described in more detail in our coordinated disclosure policy.