Server-side Request Forgery in OpenID support

Liberapay Profile at HackerOne

I just want find Bug at Liberapay but when i want to change Photo Profile the page will auto Redirect at libravatar.org .

Steps to Reproduce

I must Register in libravatar.org to become to member.
And go to Profile Page there have Add a new OpenID menu and Click it
in the Page you can add URL from everywhere and let’s time to Exploit that with SSRF
4.I try to add URL like this : http://127.0.0.1:31337

The Page will Write <urlopen error [Errno 111] Connection refused> because the Port isn’t Open but if i add URL like this http://127.0.0.1:80 the Page will Write “No usable OpenID services found for http://127.0.0.1:80” (PORT 80 is Open)

If i check with Nmap is like this 80/tcp open http Apache httpd

And now i’ll try to get Request from VPS .
i add URL like this : http://myvpsserver.example:31337 and trying with netcat with port 31337 .
And Working !!!

Reference : https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

Impact

Server Side Request Forgery (SSRF) refers to an attack where in an attacker is able to send a crafted request from a vulnerable web application. SSRF is usually used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network. Additionally, it’s also possible for an attacker to leverage SSRF to access services from the same server that is listening on the loopback interface (127.0.0.1).

Reference : https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Regards BugHunter Indonesia , BugBounty ID .

Timeline
Report (16 Des 2018)
Libravatar Appreciate Me (17 Des 2018)
Libravatar ADD me in HOF ( 24 Des 2018 )

touch me to see HOF

Bug Fix and Release

https://bugs.launchpad.net/libravatar/+bug/1808720