Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MediaWiki, which is a PHP, claimed to have a deprecated dependency that was an HTTP web server called got. How does this effect MediaWiki? Some submodules were using this.

The got library added support for making requests via Unix domain sockets. This was to allow for requests to be made to a local server, similar to localhost. Unix sockets are extremely powerful so filtering should be done by the end user. This support added the unix:/ and http://unix:/ scheme. The latter scheme was borrowed from the npm request library for implementation.

The got library was not considering that redirects could occur to Unix sockets. By using a 30X redirect to our own server then sending it to a Unix socket, it would be possible to hit a Unix socket from the request; this is a real bad SSRF vulnerability. Filtering wouldn't work in this case, since the request would redirect anyway. This issue was present in the request framework as well.

How would somebody exploit this? Hitting a locally running unix socket. A common unix socket would be the Docker socket. This can be used for creating and kill containers, getting logs and much more.

Overall, interesting dive down the dependency rabbit hole and a trip down how hard URL are to handle in the modern web.