KodCloud KodBox Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability exists in KodCloud KodBox version 1.61. The issue arises in the 'Download from Link' functionality within the file upload feature. When an administrator inputs a URL, the server sends an HTTP request to that URL without proper validation or filtering. This vulnerability allows remote exploitation, enabling attackers to interact with internal and external network resources accessible to the server, potentially exposing sensitive services and data.

Impact

Exploitation of this vulnerability allows for internal network reconnaissance and port scanning from the KodBox server. It could lead to access of sensitive internal services not exposed externally, with the possibility of retrieving cloud metadata from providers like AWS, GCP, or Azure, which could result in credential theft. Additionally, the server could be used as a proxy to bypass firewall restrictions, with a risk of full internal network compromise if sensitive services are reachable.

Reproduction

To reproduce this vulnerability, log in as an administrator on KodBox v1.61. Navigate to 'Upload Files' and select 'Download from Link'. Enter a URL of a server you control and observe the incoming request. Then, replace the URL with an internal network address, such as one corresponding to a service running on a specific port. The KodBox server will send the request to the internal address without validation, demonstrating the SSRF vulnerability.

Remediation

It is recommended to implement strict allowlists for downloadable URLs, block requests to private or internal IP ranges, validate and sanitize all user-provided URLs, apply egress firewall rules to prevent unauthorized outbound traffic, and restrict or disable this feature for high-privilege accounts.