Summary
如果攻击者可以正常通过 SSO/Access Code 鉴权,那么他们可以通过在前端修改 Base URL 为自己的攻击 URL 并设定服务端请求来获得后端的真实 API Key。
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
Details
攻击流程如上所述。
The attack process is described above.
PoC
前端:
- 能通过基础鉴权(SSO/Access Code)
- 设置 Base URL 为私有的攻击地址。
- 设置请求方式为服务端请求。
- 自设的攻击地址处,可以从请求的 Header 中拿到 API Key 信息。
服务端:
- LobeChat 版本允许设置 Base URL
- 没有做出站流量白名单
Frontend:
- Pass basic authentication (SSO/Access Code).
- Set the Base URL to a private attack address.
- Configure the request method to be a server-side request.
- At the self-set attack address, retrieve the API Key information from the request headers.
Backend:
- The LobeChat version allows setting the Base URL.
- There is no outbound traffic whitelist.
Impact
使用 SSO/Access Code 鉴权的全体社区版 LobeChat 用户,测试版本 0.162.13。
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.
zhuozhiyongde Finder
Summary
如果攻击者可以正常通过 SSO/Access Code 鉴权,那么他们可以通过在前端修改 Base URL 为自己的攻击 URL 并设定服务端请求来获得后端的真实 API Key。
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
Details
攻击流程如上所述。
The attack process is described above.
PoC
前端:
服务端:
Frontend:
Backend:
Impact
使用 SSO/Access Code 鉴权的全体社区版 LobeChat 用户,测试版本 0.162.13。
All community version LobeChat users using SSO/Access Code authentication, tested on version 0.162.13.