| عنوان | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery |
|---|
| الوصف | A Server-Side Request Forgery (SSRF) vulnerability exists in the theme fetching functionality of go-sonic/sonic blogging platform. The vulnerability allows an authenticated administrator to make the server send HTTP requests to arbitrary internal or external URLs, and read local files via the `file://` protocol.
1. **SSRF via Theme Fetching API:**
- In the file `service/theme/git_fetcher.go`, the `FetchTheme` function accepts a user-supplied URL and directly passes it to the `git.PlainClone` function without any validation or sanitization.
- The vulnerable code:
```go
func (g gitThemeFetcherImpl) FetchTheme(ctx context.Context, file interface{}) (*dto.ThemeProperty, error) {
gitURL := file.(string) // User-controlled input
// ...
_, err := git.PlainClone(filepath.Join(tempDir, themeDirName), false, &git.CloneOptions{
URL: gitURL, // Directly used without validation
})
```
2. **Exploitation Vectors:**
- **Internal Network Scanning:** Attacker can probe internal services by specifying internal IP addresses
- **Local File Access:** Using `file://` protocol to access local files on the server
- **Cloud Metadata Access:** In cloud environments (AWS/GCP/Azure), attacker can access instance metadata endpoints
- **DNS-based Detection:** Attacker can use DNSLog services to confirm outbound requests
3. **Prerequisites:**
- Valid administrator credentials are required
- The vulnerable endpoint requires authentication via `Admin-Authorization` header |
|---|
| المصدر | ⚠️ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ |
|---|
| المستخدم | hiro (UID 93548) |
|---|
| ارسال | 19/12/2025 09:22 AM (4 أشهر منذ) |
|---|
| الاعتدال | 01/01/2026 10:38 AM (13 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 339335 [go-sonic حتى 1.1.4 Theme Fetching API git_fetcher.go FetchTheme uri تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|