Headline
CVE-2023-46730: SSRF in /api/upload.php
Group-Office is an enterprise CRM and groupware tool. In affected versions there is full Server-Side Request Forgery (SSRF) vulnerability in the /api/upload.php endpoint. The /api/upload.php endpoint does not filter URLs which allows a malicious user to cause the server to make resource requests to untrusted domains. Note that protocols like file:// can also be used to access the server disk. The request result (on success) can then be retrieved using /api/download.php. This issue has been addressed in versions 6.8.15, 6.7.54, and 6.6.177. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Summary
There is full SSRF in /api/upload.php
Details
The /api/upload.php allows any URL, causing SSRF. Note that here other protocols like file:// can also be used
The request result (on success) can then be retrieved using /api/download.php
PoC
- Set up a server to listen on localhost:8000 on server side.
- Send an authenticated request to /api/upload.php?url=http://localhost:8000, record blob id
- Observe a request being sent to localhost:8000
- Send an authenticated request to /api/download.php?blob=blobid
- Get the server side request result.
If change url to file:///etc/passwd, the local file /etc/passwd can also be fetched
Impact
See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
Refer to https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for proper fixes.