CVE-2023-6124: Server-Side Request Forgery (SSRF) in suitecrm

Description

SuiteCRM has an Inbound Email Account Test Connection function which allows the adversary to perform a Server-Side Request Forgery (SSRF) attack. It doesn’t verify or validate the provided URL/IP Address, allowing it to leak internal and fetch external service information regardless of the protocol.

Proof of Concept

1. Login as a user > Browse Profile > Inbound Email Accounts > New Personal Inbound Email Account
2. Enter the target host in the mail server address and the target port
3. click TEST CONNECTION SETTINGS
4. Observe the result with response error and timing

Localhost: POC and Payload

Internal Network: POC and Payload

External Network: POC and Payload

It also has been validated in the demo. Demo POC

Impact

It allows the adversary to perform reconnaissance and scanning of localhost, internal network host, and external host services without any restriction in the request, which could result in the following;

1. Local/Remote/External Port Scan
2. Interact with internal apps/services/network
3. Remote Code Execution by chaining services on the internal network
4. Server can be used as a proxy to attack other networks