Hi, I get in touch to report that detectportal.firefox.com is vulnerable to server side request forgery (SSRF) SSRF is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the firewall that are normally inaccessible from the outside world (but using SSRF it’s possible to access these systems). With SSRF it’s also possible to access services from the same server that is listening on the loopback interface. Using Server Side Request Forgery attacks it’s possible to: Scan and attack systems from the internal network that are not normally accessible Enumerate and attack services that are running on these hosts Exploit host-based authentication services Issuing the following request: GET http://email@example.com:22 HTTP/1.1 Host: detectportal.firefox.com Pragma: no-cache Cache-Control: no-cache, no-transform Connection: close Will cause a connection to your SSH service on directtv.com. See the SSH banner below: HTTP/1.0 200 OK Server: squid Mime-Version: 1.0 Date: Sat, 19 Aug 2017 07:38:02 GMT X-Transformed-From: HTTP/0.9 X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:80 Connection: close SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6 Protocol mismatch. With this vulnerability, I am able to gain information about the local system, and potentially machines in neighbor networks to that machine. I can also send GET requests to a service running on any port on a system accessible to this machine. This could potentially cause damage to those internal applications. For examples of applications that may be vulnerable, please check out this reference which is now a bit outdated, but shows that there is a non zero amount of applications that may be vulnerable. Note that I could spend more time trying to figure out what applications there may be that are vulnerable on your internal network, but I feel this would go outside the intended scope of the bounty brief. Let me know if you need any more clarification or if you have questions. I'm happy to provide a screencast and/or screenshots of the vulnerability if needed. Cheers
Are you sure that you're not just connecting to ssh on your own personal machine? A URL like this: http://firstname.lastname@example.org:22 Is telling your browser to connect to SSH on your personal machine with a login of "detectportal.firefox.com".
Hi, I further investigated the issue and it turns out it is a vulnerability in my VPN provider. I was using an upstream proxy and they were trying to connect to their loopback interface. You can close the ticket sorry about this. Cheers
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.