ZenTao Webhook Module Server-Side Request Forgery Vulnerability
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in the ZenTao project management system, specifically in versions through 21.7.6-85642. The issue resides in the Webhook module, within the 'fetchHook' function of 'module/webhook/model.php'. This vulnerability allows authenticated administrators to read arbitrary files from the server's local filesystem. The root cause is insufficient URL validation when configuring webhook URLs, particularly the lack of protocol filtering for 'file://' URLs. Exploitation is possible by sending a POST request to a 'file://' URL, which the server will process and log, thereby exposing the contents of the requested file.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive files on the server, including system and application configuration files, source code, and other private data. On Windows systems, it could also allow access to the SAM file, which contains user account information.
Reproduction
To reproduce this vulnerability, an authenticated administrator can create or edit a webhook in the ZenTao Webhook module. During this process, the administrator should set the webhook URL to a 'file://' path pointing to a local file, such as '/etc/passwd' on Linux or a Windows system file. After saving the webhook, the administrator can trigger an action that activates the webhook, such as creating a task or project. The server will then execute the webhook request, read the file contents via the 'file://' URL, and log the response, which can be viewed in the webhook logs interface.
Remediation
To address this vulnerability, it is recommended to restrict webhook URL protocols to only allow HTTP and HTTPS. Implementing proper URL validation to whitelist allowed protocols before saving webhook URLs is crucial. Additionally, sanitizing or truncating file content in logs, or disabling logging for non-HTTP responses, can help mitigate the exposure of sensitive information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.