Server-Side Request Forgery (SSRF) in instantsoft/icms2

Vulnerability

The vulnerability is a Server-Side Request Forgery (SSRF) in the uploadFromLink function of the icms2 content management system. Prior to version 2.16.1-git, the function did not properly validate the host part of the URL provided for remote file uploads. The code used filter_var with FILTER_VALIDATE_URL but did not block requests to private IP addresses, allowing an attacker to specify internal network addresses (e.g., 127.0.0.1) or trigger requests to arbitrary hosts [1].

Exploitation

An attacker with the ability to upload a file from a link (e.g., a content manager or editor role) can craft a URL pointing to an internal IP address (e.g., http://127.0.0.1/admin or http://192.168.1.1). The server will then attempt to fetch that URL using cURL, potentially accessing internal services that are not meant to be exposed. No authentication is required beyond the ability to use the upload from link feature.

Impact

Successful exploitation allows the attacker to probe internal network services, read metadata from internal endpoints (e.g., cloud metadata on 169.254.169.254), or gather information about the internal network and its services. The impact is primarily information disclosure of internal resources, which could lead to further attacks.

Mitigation

The issue was fixed in the commit [1] by adding hostname resolution and validation to prevent requests to private and reserved IP ranges. Users should update to icms2 version 2.16.1-git or later, which includes the fix. No other workarounds are documented in the available references [2].