Comments (13)
Why a CVE? This is not a vulnerability in Glastopf, it is intended behavior.
Please send a pull request with your changes...
from glastopf.
@glaslos looks like CVE-2018-10220 was assigned to this despite your comments
from glastopf.
You made a correct observation of an intended behavior.
from glastopf.
Maybe we can remove this function? shall we?
from glastopf.
This function is intentionally, we want this behavior.
from glastopf.
well, bro. But I change the handlers/emulators/rfi.py
, and let the function of download_file disable, though I still think this function is vulnerable, thanks
from glastopf.
Do you have any other ideas on how to avoid the abuse without completely removing support for RFI?
from glastopf.
well, we could filter the url , this is the demo, I hope it can help you
you can just use the function of safe_request_url
import socket
import re
import requests
from urlparse import urlparse
from socket import inet_aton
from struct import unpack
from requests.utils import requote_uri
def check_ssrf(url):
hostname = urlparse(url).hostname
def ip2long(ip_addr):
return unpack("!L", inet_aton(ip_addr))[0]
def is_inner_ipaddress(ip):
ip = ip2long(ip)
return ip2long('127.0.0.0') >> 24 == ip >> 24 or \
ip2long('10.0.0.0') >> 24 == ip >> 24 or \
ip2long('172.16.0.0') >> 20 == ip >> 20 or \
ip2long('192.168.0.0') >> 16 == ip >> 16
try:
# print re.match(r"^http(s)?://(.*?)$", url)
# if not re.match(r"^https?://.*/.*$", url):
if not re.match(r"^http(s)?://(.*?)$", url):
raise BaseException("url format error")
# print socket.getaddrinfo(hostname, 'http')
ip_address = socket.getaddrinfo(hostname, 'http')[0][4][0]
if is_inner_ipaddress(ip_address):
raise BaseException("inner ip address attack")
return True, "success"
except BaseException as e:
return False, str(e)
except:
return False, "unknow error"
def safe_request_url(url, **kwargs):
def _request_check_location(r, *args, **kwargs):
if not r.is_redirect:
return
url = r.headers['location']
# The scheme should be lower case...
parsed = urlparse(url)
url = parsed.geturl()
# Facilitate relative 'location' headers, as allowed by RFC 7231.
# (e.g. '/path/to/resource' instead of 'http://domain.tld/path/to/resource')
# Compliant with RFC3986, we percent encode the url.
if not parsed.netloc:
url = urljoin(r.url, requote_uri(url))
else:
url = requote_uri(url)
succ, errstr = check_ssrf(url)
if not succ:
raise requests.exceptions.InvalidURL("SSRF Attack: %s" % (errstr, ))
success, errstr = check_ssrf(url)
if not success:
raise requests.exceptions.InvalidURL("SSRF Attack: %s" % (errstr,))
all_hooks = kwargs.get('hooks', dict())
if 'response' in all_hooks:
if hasattr(all_hooks['response'], '__call__'):
r_hooks = [all_hooks['response']]
else:
r_hooks = all_hooks['response']
r_hooks.append(_request_check_location)
else:
r_hooks = [_request_check_location]
all_hooks['response'] = r_hooks
kwargs['hooks'] = all_hooks
return requests.get(url, **kwargs)
print safe_request_url("http://10.10.10.10")
from glastopf.
Can I apply for a cve? I want to try it. :)
from glastopf.
em... so embarrassed, ok, I will send a pull request. But this pull request just filter the url in some ips, and others still can use the web server as a proxy. does the program really need this funcion?
I know it is a intended behavior, But you don't filter the url. if some companies deploy your program in the internet, it is possible to be attacked by others. And the day before yesterday I deployed this program, the logs of nginx show that someone use my website as a proxy to attack other.
from glastopf.
This issue has been cited as the source. More info
from glastopf.
And the day before yesterday I deployed this program, the logs of nginx show that someone use my website as a proxy to attack other
@akamei, ... what do you think Glastopf is? To be more specific - what is your use case (what do you want to do with the software in general)?
from glastopf.
@creolis Sorry, I was too busy before I see your comments. I use your program to gather the web attack log, and I don't want it to influence my web server. This vulnerability may let others attack the inner network of my web server, so I just filter the url and don't let the others attack it. I think If you want the function of rfi, you must filter the url. I think I explain it clearly, if you have ant questions, please tell me, thanks.
from glastopf.
Related Issues (20)
- hpfeeds wont shut off HOT 2
- How to make my own web template? HOT 8
- php-dev HOT 1
- error [98] Address already in use HOT 1
- Bugged behavior of wsgi_wrapper.py HOT 3
- row size too large HOT 1
- make && make install error HOT 2
- Glastop does not work with HTTPS traffic HOT 5
- sql injection HOT 1
- How to disenable s3 log ?
- Install Glastopf failed HOT 4
- Help! Where does glastopf store comments? HOT 6
- Potential dependency conflicts between glastopf and chardet HOT 3
- Giving ImportError : No module named ordered_dict HOT 2
- Segmentation Fault on glastopf-runner HOT 2
- not work with docker...GPG with invalid signatures... HOT 1
- Does this glastopf provide for sql injection attack detection? HOT 3
- Dockerfile Error HOT 2
- Filtering Non-Invasive Behaviors in Glastopf Reports to MHN HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from glastopf.