Skip to content

SSRF via /Attachment/fromImageUrl endpoint

Moderate
yurikuzn published GHSA-g955-rwxx-jvf6 Dec 5, 2023

Package

espocrm (PHP)

Affected versions

<=8.0.2

Patched versions

8.0.5

Description

Summary

There is SSRF via the upload image from url api.

Details

Users that can use the /Attachment/fromImageUrl can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases.

PoC

Login as a user who can access attachments APIs, with credentials, make a post request to /api/v1/Attachment/fromImageUrl
with the following data

{
"url": "http://localhost:8888",
"parentType": "Note",
 "field":  "attachments"
}

On server side, listen on localhost:8888 and it will receive a request, which normally shouldn't be accessible from outside.

To bypass content type check, use a redirect, for example, by using https://ssrf.localdomain.pw/img-with-body/301-http-127.0.0.1:8888-.i.jpg as url, which spoofs the content type, and the actual response will be saved as an attachment. Then by using the /api/v1/Attachment/file/id endpoint the response can be retrieved.

Impact

This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls.
See here for more information on SSRF and here for fix strategies

Severity

Moderate

CVE ID

CVE-2023-46736

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

Credits