HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

Summary

Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.

Details

api/services/website/cacheAddress.js, api/apps/haxcms/lib/JOSHelpers.js, and api/apps/haxcms/convert/elmslnToSite.js use similar logic to check for hard-coded site names. However, the logic only looks for the substring to be included in the user-controlled string, allowing an attacker to craft an API call and extract the credentials intended for the hard-coded domains.

PoC

Making API calls to an affected endpoint will result in credential theft. The attacker-controlled domains in these proofs of concept are cloudflared tunnels, protecting the production credentials from unencrypted exposure.

cacheAddress.js:

elmslnToSite.js:

JOSHelpers.js:

Impact

This vulnerability allows internal data, including secrets, to be exfiltrated to an attacker-controlled domain. Credentials were confirmed with the maintainer to grant access to unreleased LMS content on subsequent systems; out of scope for PoC.