| Titel | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery |
|---|
| Beschreibung | A Server-Side Request Forgery (SSRF) vulnerability exists in the theme fetching functionality of go-sonic/sonic blogging platform. The vulnerability allows an authenticated administrator to make the server send HTTP requests to arbitrary internal or external URLs, and read local files via the `file://` protocol.
1. **SSRF via Theme Fetching API:**
- In the file `service/theme/git_fetcher.go`, the `FetchTheme` function accepts a user-supplied URL and directly passes it to the `git.PlainClone` function without any validation or sanitization.
- The vulnerable code:
```go
func (g gitThemeFetcherImpl) FetchTheme(ctx context.Context, file interface{}) (*dto.ThemeProperty, error) {
gitURL := file.(string) // User-controlled input
// ...
_, err := git.PlainClone(filepath.Join(tempDir, themeDirName), false, &git.CloneOptions{
URL: gitURL, // Directly used without validation
})
```
2. **Exploitation Vectors:**
- **Internal Network Scanning:** Attacker can probe internal services by specifying internal IP addresses
- **Local File Access:** Using `file://` protocol to access local files on the server
- **Cloud Metadata Access:** In cloud environments (AWS/GCP/Azure), attacker can access instance metadata endpoints
- **DNS-based Detection:** Attacker can use DNSLog services to confirm outbound requests
3. **Prerequisites:**
- Valid administrator credentials are required
- The vulnerable endpoint requires authentication via `Admin-Authorization` header |
|---|
| Quelle | ⚠️ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ |
|---|
| Benutzer | hiro (UID 93548) |
|---|
| Einreichung | 19.12.2025 09:22 (vor 4 Monaten) |
|---|
| Moderieren | 01.01.2026 10:38 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 339335 [go-sonic bis 1.1.4 Theme Fetching API git_fetcher.go FetchTheme uri erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|