Psi Probe Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Psi Probe versions through 5.3.0. This issue resides in the Whois component, specifically within the lookup function of Whois.java. The vulnerability allows authenticated attackers to manipulate whois referral responses, prompting the application to connect to arbitrary servers without proper validation. This exploitation can be initiated remotely, enabling attackers to scan internal networks, access restricted services, and bypass firewall controls.

Impact

Exploitation of this vulnerability allows for internal network scanning, access to internal services such as databases and administrative panels, data exfiltration using the whois protocol, and bypassing access controls by routing connections through the application server's trusted IP address.

Reproduction

To reproduce this vulnerability, register a domain with a whois record that includes a malicious ReferralServer header pointing to an internal IP address. Then, send an authenticated request to the Psi Probe application querying the domain. The application will unwittingly connect to the specified internal address, allowing for reconnaissance or access to internal services.

Remediation

It is recommended to whitelist trusted whois servers or disable referral following in the Whois component. Network segmentation can also be employed to restrict outbound connections from the application server to only necessary services.