Add SECURITY.md (SSRF + CSRF, v1.0~v2.3.8)#277
Open
nk7667 wants to merge 1 commit into
Open
Conversation
…8 - SSRF (CWE-918) - CVSS 9.1 Critical - CSRF (CWE-352) - CVSS 7.5 High - 180+ public instances affected - Includes PoC and remediation steps Affected versions: v1.0 through v2.3.8 SSRF: remoteuploads flag allows arbitrary HTTP requests to internal networks and cloud metadata. No auth required by default. CSRF: PUT upload endpoint skips referrer validation. Any cross-origin website can upload files. Temporary mitigation: disable -remoteuploads or use a reverse proxy. Full details in SECURITY.md.
Contributor
|
Please take your AI slop elsewhere. Regarding the "vulnerable IPs"...if those are indeed vulnerable, I suggest you reach out to the operators of those linx-server instances; this is not the place for that. Regarding the SSRF, please see #276. The remoteuploads feature is not enabled by default, and in fact the entire purpose of this feature is to enable the server to make network requests to arbitrary origins. The CSRF finding is just nonsense. The PUT method requires a preflight request; it's simply not possible to make this request cross-origin without adding the necessary CORS headers, which we do not implement. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Affected versions: v1.0 through v2.3.8
SSRF: remoteuploads flag allows arbitrary HTTP requests to internal networks and cloud metadata. No auth required by default.
CSRF: PUT upload endpoint skips referrer validation. Any cross-origin website can upload files.
Temporary mitigation: disable -remoteuploads or use a reverse proxy.
Full details in SECURITY.md.