ParisNeo LollMS Server-Side Request Forgery Vulnerability in Export Content API

A Server-Side Request Forgery (SSRF) vulnerability has been identified in ParisNeo LollMS versions prior to 2.2.0. The issue resides in the '/api/files/export-content' endpoint, where the '_download_image_to_temp()' function in 'backend/routers/files.py' fails to validate user-controlled URLs. This oversight allows attackers to send arbitrary HTTP requests to internal services and cloud metadata endpoints, potentially leading to unauthorized access, information disclosure, port scanning, and even remote code execution.

Impact

Exploitation of this vulnerability allows attackers to access internal network services, cloud metadata endpoints, and sensitive information from internal services. Additionally, it could facilitate port scanning of internal networks and, if combined with vulnerabilities in accessed services, lead to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/files/export-content' endpoint with a payload that includes markdown images hosted on internal URLs or cloud metadata endpoints. The server will process the request and attempt to download the images from the specified URLs, bypassing any security controls.

Remediation

Users are advised to update to LollMS version 2.2.0 or later, where this vulnerability has been fixed.