Lucy XSS Filter Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Lucy XSS Filter, prior to commit 7c1de6d. This vulnerability allows an attacker to induce HEAD requests to arbitrary URLs. The issue arises when the ObjectSecurityListener or EmbedSecurityListener options are enabled, and object or embed tags are used with a src attribute that lacks a file extension.

Impact

Exploitation of this vulnerability allows for the internal exposure of the server's Java version and the potential misuse of the server as a proxy to access internal networks. This could be particularly harmful if internal HTTP handlers are loosely configured to accept various methods, enabling the manipulation of internal services.

Reproduction

The vulnerability can be reproduced by enabling the ObjectSecurityListener or EmbedSecurityListener options in Lucy XSS Filter. Then, use an object or embed tag with a src attribute that does not include a file extension to target a server that can receive HTTP requests. When the tag is processed, the server will send a HEAD request to the specified URL, demonstrating the SSRF vulnerability.

Remediation

To address this vulnerability, it is recommended to modify the dynamic MIME type checking mechanism used by the 'checkVulnerableWithHttp' function. Instead of relying on HTTP requests to determine the MIME type, which can lead to this vulnerability, consider using a fixed value, such as 'application/octet-stream', when the MIME type cannot be reliably assessed.