Deco Deco-Apps Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Deco-CX apps in versions prior to 0.120.1. The issue resides in the AnalyticsScript function within the file website/loaders/analyticsScript.ts, part of the Parameter Handler component. The vulnerability allows remote attackers to manipulate the 'url' argument, leading the server to fetch arbitrary URLs, including local files. This could result in unauthorized access to sensitive information, such as environment variables or internal services.

Impact

Exploitation of this vulnerability allows attackers to read local files, such as /etc/passwd and /etc/hosts, and access internal services, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, send a request to the 'website/loaders/analyticsScript.ts' file with a crafted 'url' parameter that points to a local file, such as 'file:///etc/passwd'. The server will fetch the specified file and return its contents, demonstrating the SSRF vulnerability.

Remediation

Upgrade to Deco-CX apps version 0.120.2, which addresses this vulnerability by validating and sanitizing the 'url' parameter to prevent unauthorized URL fetching.