LNbits Server-Side Request Forgery Vulnerability in LNURL Authentication Handling

A Server-Side Request Forgery (SSRF) vulnerability exists in LNbits versions prior to 0.12.12, specifically within the LNURL authentication handling. The issue arises because the application accepts user-provided callback URLs and makes HTTP requests to those URLs, following redirects without proper validation. This flaw allows attackers to specify internal network addresses, access internal resources, and potentially expose sensitive information or services that should not be accessible from the internet.

Impact

Exploitation of this vulnerability allows authenticated attackers to access internal network resources that are not exposed to the internet. This could lead to unauthorized access to internal files, services, or sensitive information. Although authentication is required, any user who can create a wallet has the necessary access to exploit this vulnerability.

Reproduction

To reproduce this vulnerability, first create a new wallet account to obtain an admin key. Then, use this admin key to send a crafted LNURL authentication request, including a callback URL that points to an internal server. The application will make an HTTP request to the specified internal URL, bypassing normal access restrictions and potentially exposing internal resources.

Remediation

Users are advised to update to LNbits version 1.0.0 or later. Additionally, implement strict validation for callback URLs in LNURL authentication, ensuring they only point to allowed domains and networks. Disable redirect following in HTTP requests or apply strict validation for redirects. Consider using a proxy service to restrict access to internal networks when making external HTTP requests.