| tiêu đề | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery |
|---|
| Mô tả | A Server-Side Request Forgery (SSRF) vulnerability exists in the theme fetching functionality of go-sonic/sonic blogging platform. The vulnerability allows an authenticated administrator to make the server send HTTP requests to arbitrary internal or external URLs, and read local files via the `file://` protocol.
1. **SSRF via Theme Fetching API:**
- In the file `service/theme/git_fetcher.go`, the `FetchTheme` function accepts a user-supplied URL and directly passes it to the `git.PlainClone` function without any validation or sanitization.
- The vulnerable code:
```go
func (g gitThemeFetcherImpl) FetchTheme(ctx context.Context, file interface{}) (*dto.ThemeProperty, error) {
gitURL := file.(string) // User-controlled input
// ...
_, err := git.PlainClone(filepath.Join(tempDir, themeDirName), false, &git.CloneOptions{
URL: gitURL, // Directly used without validation
})
```
2. **Exploitation Vectors:**
- **Internal Network Scanning:** Attacker can probe internal services by specifying internal IP addresses
- **Local File Access:** Using `file://` protocol to access local files on the server
- **Cloud Metadata Access:** In cloud environments (AWS/GCP/Azure), attacker can access instance metadata endpoints
- **DNS-based Detection:** Attacker can use DNSLog services to confirm outbound requests
3. **Prerequisites:**
- Valid administrator credentials are required
- The vulnerable endpoint requires authentication via `Admin-Authorization` header |
|---|
| Nguồn | ⚠️ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ |
|---|
| Người dùng | hiro (UID 93548) |
|---|
| Đệ trình | 19/12/2025 09:22 (cách đây 4 các tháng) |
|---|
| Kiểm duyệt | 01/01/2026 10:38 (13 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 339335 [go-sonic đến 1.1.4 Theme Fetching API git_fetcher.go FetchTheme uri nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|