IhateCreatingUserNames2 AiraHub2 Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in IhateCreatingUserNames2 AiraHub2, specifically in the version 3e4b77fd7d48ed811ffe5b8d222068c17c76495e. The vulnerability exists in the 'connect_stream_endpoint' and 'sync_agents' functions within the 'AiraHub.py' file, part of the Endpoint component. This issue allows remote attackers to manipulate user-controlled input, such as 'agent_url' and 'hub_urls', to coerce the server into making outbound HTTP requests. These requests can probe internal services or access cloud metadata endpoints, potentially leading to the exposure of sensitive information.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal services or cloud metadata, which may contain sensitive information. Additionally, if internal administrative APIs are targeted, it could lead to unauthorized actions or data manipulation on those systems.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/sync_agents' endpoint with a payload that includes a 'hub_urls' array containing an attacker-controlled URL. Alternatively, the '/connect/stream' endpoint can be used by including a 'agent_url' parameter with a similar attacker-controlled URL. In both cases, the server will make outbound requests to the supplied URLs, demonstrating the SSRF vulnerability by accessing internal-only endpoints or services from the context of the AiraHub server.