GHSL-2023-185: Server-Side Request Forgery (SSRF) in Posthog - CVE-2023-46746

Coordinated Disclosure Timeline

• 2023-08-28: Sent the report to security@posthog.com
• 2023-09-28: Asked for an update
• 2023-10-31: Created an issue in the project repository asking for a contact person or email.
• 2023-11-07: A draft advisory is created and a CVE is assigned: CVE-2023-46746.
• 2023-11-16: Asked in PVR to publish the advisory.
• 2023-11-27: Asked over email to publish the advisory.
• 2023-11-28: Advisory published: GHSA-wqqw-r8c5-j67c.

Summary

A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog.

Product

posthog/posthog

Tested Version

1.43.1

Details

SSRF in test_slack_webhook method (GHSL-2023-185)

The test_slack_webhook method in posthog/api/user.py does not validate the user-controlled webhook variable and uses it to send POST requests on line 283, which leads to server-side request forgery.

def test_slack_webhook(request):
    """Test webhook."""
    try:
        body = json.loads(request.body)
    except (TypeError, json.decoder.JSONDecodeError):
        return JsonResponse({"error": "Cannot parse request body"}, status=400)

    webhook = body.get("webhook")

    if not webhook:
        return JsonResponse({"error": "no webhook URL"})
    message = {"text": "_Greetings_ from PostHog!"}
    try:
        response = requests.post(webhook, verify=False, json=message)

This issue was found using CodeQL’s Request Forgery query.

Impact

The SSRF allows for forging POST requests from the PostHog server.

CVE

• CVE-2023-46746

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-185 in any communication regarding this issue.