Invoice Ninja Server-Side Request Forgery Vulnerability in Migration Import Component

A server-side request forgery (SSRF) vulnerability exists in Invoice Ninja versions through 5.12.38. The issue is located in the migration import feature, specifically within the 'app/Jobs/Util/Import.php' file. The vulnerability arises because the 'company_logo' parameter in user-uploaded migration files is not properly validated before being passed to PHP's 'copy()' function. This lack of validation allows authenticated users to make the server send HTTP requests to arbitrary URLs. Exploitation of this vulnerability could access internal network services, cloud metadata endpoints (such as AWS, GCP, or Azure), and extract sensitive information like IAM credentials and internal API data.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an authenticated user can make the server send requests to internal services or external URLs, potentially accessing sensitive data or cloud metadata.

Reproduction

To reproduce this vulnerability, upload a migration file containing a malicious 'company_logo' URL through the Invoice Ninja API. The 'company_logo' URL will be fetched by the server using the 'copy()' function, leading to SSRF. This can be verified by monitoring the server for outgoing requests to the attacker's URL.

Remediation

It is recommended to validate the 'company_logo' URL before using it. This can be done by ensuring it uses HTTPS, parsing the URL to check its validity, blocking private or reserved IP addresses, and preventing access to cloud metadata endpoints. Alternatively, 'allow_url_fopen' can be disabled in 'php.ini', or 'copy()' can be replaced with a cURL-based solution that has restrictions on timeouts and redirects.