LinkAce Server-Side Request Forgery Vulnerability in FetchController

A Server-Side Request Forgery (SSRF) vulnerability has been identified in LinkAce versions 2.3.0 and below. The issue arises in the FetchController class, specifically within the htmlKeywordsFromUrl function. This function accepts user-provided URLs and makes HTTP requests to them without validating whether the destination is an internal or private network resource. As a result, authenticated attackers can use the application server to perform port scanning and service discovery on internal networks. However, the practical impact is limited, as the function only extracts content from HTML meta keywords tags, preventing meaningful data exfiltration from databases, APIs, or cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows authenticated attackers to use the application server to scan ports and discover services on internal networks.

Reproduction

To reproduce this vulnerability, log in to LinkAce as an authenticated user. Send a POST request to the '/fetch/keywords-for-url' endpoint with a JSON payload containing a URL. The server will make an HTTP request to the provided URL and return any keywords found in the meta tags. This process can be repeated with internal URLs to demonstrate the SSRF vulnerability.

Remediation

Users are advised to update to LinkAce version 2.4.0, where this vulnerability has been fixed.