OpenSupports Server-Side Request Forgery Vulnerability in Diagnostic Endpoints

A server-side request forgery (SSRF) vulnerability has been identified in OpenSupports version 4.11.0. This issue arises from two unauthenticated diagnostic endpoints, '/api/system/test-imap' and '/api/system/test-smtp', which allow arbitrary network connections from the backend to attacker-supplied destinations. Both endpoints are exposed with 'permission => any', enabling unauthenticated access for internal network scanning and service interaction. The '/test-imap' endpoint uses 'imap_open()' with user-controlled IMAP host, user, and password, while the '/test-smtp' endpoint utilizes PHPMailer to connect to a user-specified SMTP host, without any destination restrictions.

Impact

Exploitation of this vulnerability allows for internal network scanning and service interaction, potentially leading to unauthorized access or manipulation of internal services. The IMAP endpoint could be used to connect to arbitrary TCP endpoints from the server's network context, while the SMTP endpoint could expose credentials in misconfigured environments.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/system/test-imap' endpoint with a crafted 'imap-host' parameter that targets an internal service or port. Similarly, the '/api/system/test-smtp' endpoint can be exploited by providing a user-supplied SMTP host that the server will attempt to connect to, thereby bypassing any network restrictions.