Describe the bug
From the endpoint /ibm/api/adminCenter/v1/utils/url/getTool?url= an attacker can send any infinite/huge stream reachable from server (file:///dev/zero, file:///dev/urandom, or attacker-hosted endless body) and the api has no scheme allow-list, no size cap, no read timeout.
Steps to Reproduce
Authenticate with a user before you do the below step. This API is only accessible for an authenticated user (admin/reader).
Navigate to the endpoint and provide the any server URL for example: https://localhost:9446/ibm/api/adminCenter/v1/utils/url/getTool?url=http://localhost:9446"
Check the server for the response and it is observed that application is making an http interaction to the server.
{
"urlReachable": false,
"tool": {
"id": "",
"type": "bookmark",
"name": "",
"url": "http://localhost:9446/",
"icon": "images/tools/defaultTool_142x142.png",
"description": ""
}
}
Expected behavior
shouldn't allow url other than http or https
Diagnostic information:
- OpenLiberty Version: [e.g. 25.0.0.9 - 26.0.0.6]
- Affected feature(s) : adminCenter-1.0
- Java Version: all
- server.xml configuration (WITHOUT sensitive information like passwords)
- If it would be useful, upload the messages.log file found in
$WLP_OUTPUT_DIR/messages.log
Additional context
Add any other context about the problem here.
Describe the bug
From the endpoint /ibm/api/adminCenter/v1/utils/url/getTool?url= an attacker can send any infinite/huge stream reachable from server (file:///dev/zero, file:///dev/urandom, or attacker-hosted endless body) and the api has no scheme allow-list, no size cap, no read timeout.
Steps to Reproduce
Authenticate with a user before you do the below step. This API is only accessible for an authenticated user (admin/reader).
Navigate to the endpoint and provide the any server URL for example: https://localhost:9446/ibm/api/adminCenter/v1/utils/url/getTool?url=http://localhost:9446"
Check the server for the response and it is observed that application is making an http interaction to the server.
{
"urlReachable": false,
"tool": {
"id": "",
"type": "bookmark",
"name": "",
"url": "http://localhost:9446/",
"icon": "images/tools/defaultTool_142x142.png",
"description": ""
}
}
Expected behavior
shouldn't allow url other than http or https
Diagnostic information:
$WLP_OUTPUT_DIR/messages.logAdditional context
Add any other context about the problem here.