Server-Side Request Forgery (SSRF) in instantsoft/icms2

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in the file_get_contents_from_url and file_save_from_url functions in instantsoft/icms2 prior to version 2.16.1. These functions are used during image upload and do not validate the target URL, allowing an attacker to specify arbitrary URLs including internal IP addresses. The fix in commit a6bf758 [1] adds a check to block URLs pointing to IP addresses and restricts the allowed protocols to HTTP and HTTPS via CURLOPT_PROTOCOLS.

Exploitation

An attacker can exploit this vulnerability by uploading an image file and providing a crafted URL that points to an internal network resource (e.g., http://192.168.1.1/admin). No authentication is required if the image upload functionality is publicly accessible. The attacker does not need any special privileges; the only requirement is the ability to submit an image upload request with a manipulated URL parameter.

Impact

Successful exploitation allows the attacker to perform SSRF attacks, enabling them to probe internal services, access sensitive data, or interact with internal systems that are not intended to be exposed. This can lead to information disclosure and potentially further compromise of the internal network. The impact is limited to the server's network context and the permissions of the web application.

Mitigation

The vulnerability is fixed in version 2.16.1 of icms2, released on or after the commit date of August 31, 2023 [1]. Users should upgrade to this version or later. No workarounds are documented in the available references. The issue was reported via the huntr.dev bounty platform [2].