| タイトル | Casdoor v2.356.0 Server-Side Request Forgery |
|---|
| 説明 | Webhook SSRF (Server-Side Request Forgery)
**Evidence:**
```go
req, err := http.NewRequest(webhook.Method, webhook.Url, body)
// ...
resp, err := client.Do(req) // No URL validation, no internal network blocking
```
Admin-configured webhook URLs are fetched without any restriction on target address. No SSRF protections are in place.
**Attack scenario:** An attacker who gains org-admin access configures a webhook URL pointing to `http://x.x.x.x/latest/meta-data/` (AWS metadata endpoint) or internal services, exfiltrating cloud credentials or scanning internal infrastructure.
**Fix:** Validate webhook URLs against a denylist of private/reserved IP ranges. Use a dedicated HTTP client that resolves DNS and blocks connections to internal addresses.
--- |
|---|
| ユーザー | Ghufran Khan (UID 95493) |
|---|
| 送信 | 2026年03月17日 14:25 (20 日 ago) |
|---|
| モデレーション | 2026年04月03日 09:26 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 355073 [Casdoor 2.356.0 Webhook URL 特権昇格] |
|---|
| ポイント | 17 |
|---|