Coordinated Disclosure Timeline
- 2023-08-28: Sent the report to security@posthog.com
- 2023-09-28: Asked for an update
- 2023-10-31: Created an issue in the project repository asking for a contact person or email.
- 2023-11-07: A draft advisory is created and a CVE is assigned: CVE-2023-46746.
- 2023-11-16: Asked in PVR to publish the advisory.
- 2023-11-27: Asked over email to publish the advisory.
- 2023-11-28: Advisory published: GHSA-wqqw-r8c5-j67c.
Summary
A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog.
Product
posthog/posthog
Tested Version
Details
SSRF in test_slack_webhook method (GHSL-2023-185)
The test_slack_webhook method in posthog/api/user.py does not validate the user-controlled webhook variable and uses it to send POST requests on line 283, which leads to server-side request forgery.
def test_slack_webhook(request):
"""Test webhook."""
try:
body = json.loads(request.body)
except (TypeError, json.decoder.JSONDecodeError):
return JsonResponse({"error": "Cannot parse request body"}, status=400)
webhook = body.get("webhook")
if not webhook:
return JsonResponse({"error": "no webhook URL"})
message = {"text": "_Greetings_ from PostHog!"}
try:
response = requests.post(webhook, verify=False, json=message)
This issue was found using CodeQL’s Request Forgery query.
Impact
The SSRF allows for forging POST requests from the PostHog server.
CVE
- CVE-2023-46746
Credit
This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-185 in any communication regarding this issue.