You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
mschering
published
GHSA-vw6c-h82w-mvfvNov 7, 2023
Package
groupoffice
(PHP)
Affected versions
>=6.3, <= 6.8.14
Patched versions
6.8.15, 6.7.54, 6.6.177
Description
Summary
There is full SSRF in /api/upload.php
Details
The /api/upload.php allows any URL, causing SSRF. Note that here other protocols like file:// can also be used
The request result (on success) can then be retrieved using /api/download.php
PoC
Set up a server to listen on localhost:8000 on server side.
Send an authenticated request to /api/upload.php?url=http://localhost:8000, record blob id
Observe a request being sent to localhost:8000
Send an authenticated request to /api/download.php?blob=blobid
Get the server side request result.
If change url to file:///etc/passwd, the local file /etc/passwd can also be fetched
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Learn more on MITRE.
Summary
There is full SSRF in /api/upload.php
Details
The /api/upload.php allows any URL, causing SSRF. Note that here other protocols like file:// can also be used
The request result (on success) can then be retrieved using /api/download.php
PoC
If change url to file:///etc/passwd, the local file /etc/passwd can also be fetched
Impact
See https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/
Refer to https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for proper fixes.