FRESH

Hacker News

Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE

101 points by arwt

by piccirello

1 subcomments

I work on security at PostHog. We resolved these SSRF findings back in October 2024 when this report was responsibly disclosed to us. I'm currently gathering the relevant PRs so that we can share them here. We're also working on some architectural improvements around egress, namely using smokescreen, to better protect against this class of issue.

by yellow_lead

1 subcomments

Need an edit here
> As it described on Clickhouse documentation, their API is designed to be READ ONLY on any operation for HTTP GET As described in the Clickhouse documentation, their API is designed to be READ ONLY on any operation for HTTP GET requests.

by lkt

1 subcomments

0 subcomment

by anothercat

1 subcomments

Does this require authenticated access to the posthog api to kick off? In that case I feel clickhouse and posthog both have their share of the blame here.

by thenaturalist

2 subcomments

Wow, chapeau to the author.
What an elegant, interesting read.
What I don't quite understand: Why is the Clickhouse bug not given more scrutiny?
Like that escape bug was what made the RCE possible and certainly a core DB company like ClickHouse should be held accountable for such an oversight?

by danr4

1 subcomments

0 subcomment

by taw_1265

1 subcomments