ZimaOS Server-Side Request Forgery Vulnerability Allowing Access to Internal Services

A server-side request forgery (SSRF) vulnerability has been identified in ZimaOS versions through 1.5.0. This vulnerability allows authenticated local users to send requests that target internal IP addresses, such as localhost or private network ranges. By doing so, attackers can interact with internal HTTP or HTTPS services that are not meant to be exposed either externally or to local users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information by allowing attackers to interact with internal services that are not publicly accessible.

Reproduction

To reproduce this vulnerability, authenticate to the ZimaOS application using local user account credentials. After logging in, intercept the network traffic with a web proxy tool like Burp Suite to capture the JSON Web Token (JWT) authorization header. Then, send an HTTP GET request to the application's proxy endpoint, including the JWT token and a URL parameter that points to an internal service, such as one running on localhost. If the proxy request is successful, it will return content from the targeted internal endpoint, demonstrating the vulnerability.