Blind SSRF via feedparser accessing an internal URL
Versions affected
- 5.2.4
- 5.2.3
- 5.2.2
- 5.2.1
- 5.2.0
- 5.1rc2
- 5.1rc1
- 5.1b4
- 5.1b3
- 5.1b2
- 5.1a2
- 5.1a1
- 5.1.7
- 5.1.6
- 5.1.5
- 5.1.4
- 5.1.2
- 5.1.1
- 5.1
- 5.0rc3
- 5.0rc2
- 5.0rc1
- 5.0.9
- 5.0.8
- 5.0.7
- 5.0.6
- 5.0.5
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.10
- 5.0.1
- 5.0
- 4.3.9
- 4.3.8
- 4.3.7
- 4.3.6
- 4.3.5
- 4.3.4
- 4.3.3
- 4.3.20
- 4.3.2
- 4.3.19
- 4.3.18
- 4.3.17
- 4.3.15
- 4.3.14
- 4.3.12
- 4.3.11
- 4.3.10
- 4.3.1
- 4.3
Vulnerability
By adding an RSS feed portlet in their dashboard, a normal member could try loading the RSS feed of an internal service which is otherwise unreachable for this member.
Current status
Hotfixed.
Note: the only fix we do, is that we only allow http and https access, so you cannot use the file protocol or any other protocol.
The more general case of accessing internal servers here and in other parts of the Plone code, cannot truly be fixed without major code changes or breaking valid use cases. For example, on an Intranet you may want to show the RSS feed of an internal log server.
Credits
Discovered by
- Reported by Subodh Kumar Shree
Fixed by
- Plone Security Team
Coordinated by
- Plone Security Team