Rocket.Chat SSRF in links preview and privilege escalation via misconfigured MongoDB

SSRF - bypassing blacklist

Despite introducing blacklist (https://github.com/RocketChat/Rocket.Chat/issues/1990) for links preview, it was still possible to provide domain that resolves to prohibited addresses - e.g. by setting your own domain or using service like http://xip.io.

Privilege escalation via misconfigured MongoDB

Point your domain to server running redirect.rb and then send a message with proper url to perform attack:

It affects MongoDB with with enabled HTTP interface (--rest argument), although it’s not enabled by default since 1.4.