Server-Side Request Forgery (SSRF) in collectiveaccess/providenceValid
Sep 25th 2021
Authenticated, blind SSRF vulnerability exists in CollectiveAccess. Requires edit access (tested with default cataloguer account)
Proof of Concept
As the 'cataloguer', user: Step 1. Create a new object with the title: <img src="http://localhost/index.png"> Step 2. After submitting this object, browse for objects in http://[YOUR-WEBSERVER]/providence/index.php/find/BrowseObjects/Index/sort/ca_objects.idno_sort Step 3. Print the objects to PDF Checklist Step 4. Observe that the server made a request for index.png in Apache Logs which means that the server is issuing a HTTP request to itself.
This vulnerability is capable of internal portscans, interaction with internal webservers via GET requests, as well as information disclosure of images on the internal network.
For instance if I were to host an image in the internal server containing some kind of secret.png at http://localhost:8000/secret.png Then doing this will allow me to embed the secret.png at http://localhost:8000/secret.png into the PDF, causing information disclosure.
Filter localhost or private IP from src attributes in HTML (or give an option to)