Emlog Server-Side Request Forgery Vulnerability via Uploaded SVG Files

A server-side request forgery (SSRF) vulnerability has been identified in Emlog versions through 2.5.19. This issue arises from the application's handling of uploaded SVG files, which can contain external resource references. When the server processes these SVGs—such as during thumbnail generation or sanitization—it inadvertently sends HTTP requests to the attacker-controlled host. This vulnerability could lead to internal network probing and the exposure of metadata or credentials.

Impact

Exploitation of this vulnerability allows for server-side Out-of-Band requests, leading to internal network probing and potential access to cloud instance metadata or internal services, with a risk of credential or secret disclosure.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing external references to the Emlog admin media upload interface. Once the SVG is uploaded, the server will process it and make an outbound HTTP request to the specified external resource. This can be verified by observing the incoming request on a listener set up on the attacker-controlled server.

Remediation

Disable SVG uploads on admin/media.php until a fix is applied. Restrict outbound HTTP requests from the application or rendering hosts to block access to arbitrary external IPs, especially cloud metadata IPs. In the medium to long term, consider performing all rendering of user-provided SVGs in a sandboxed environment with no external network access.