Server-Side Request Forgery (SSRF) in collectiveaccess/providence


Reported on

Sep 25th 2021


Authenticated, blind SSRF vulnerability exists in CollectiveAccess. Requires edit access (tested with default cataloguer account)

Proof of Concept

As the 'cataloguer', user:
Step 1. Create a new object with the title: <img src="http://localhost/index.png">
Step 2. After submitting this object, browse for objects in http://[YOUR-WEBSERVER]/providence/index.php/find/BrowseObjects/Index/sort/ca_objects.idno_sort
Step 3. Print the objects to PDF Checklist
Step 4. Observe that the server made a request for index.png in Apache Logs which means that the server is issuing a HTTP request to itself.


This vulnerability is capable of internal portscans, interaction with internal webservers via GET requests, as well as information disclosure of images on the internal network.

For instance if I were to host an image in the internal server containing some kind of secret.png at http://localhost:8000/secret.png Then doing this will allow me to embed the secret.png at http://localhost:8000/secret.png into the PDF, causing information disclosure.

Recommended Fix

Filter localhost or private IP from src attributes in HTML (or give an option to)

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
2 months ago


Yes, good catch...

CollectiveAccess validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on aaf573 2 months ago
CollectiveAccess has been awarded the fix bounty