[Websphere Portal] Chaining a restrictive SSRF with an Open Redirect to achieve a better SSRF primitive

We discussed this vulnerability as part of our weekly podcast on 11 January 2022

Not all SSRF vulnerabilities are equal, a common mitigation is to limit the locations that can be accessed; in the case of WebSphere Portal, this is exactly what was found, yet it could still be exploited.

In the Portal server they found a proxy endpoint that would proxy requests to Portal to a set of whitelisted domains:

  • http://www.ibm.com/
  • http://www-03.ibm.com/
  • http://www.redbooks.ibm.com/

As the configuration also allowed following redirects, the author was able to chain this with an Open redirect in Lotus Domino running on redbooks.ibm.com to redirect to an arbitrary location.

There is not much said about exploiting this issue, though if running within a cloud envrionment, the metadata server is a good target. They also looked at targeting the Admin control for WebSphere which runs on the local machine, but shouldn’t be exposed to the internet. Unfortunately they did not manage to find an attack path, but local resources are another good target to escalate an SSRF.