Group-Office WOPI Service SSRF Vulnerability Allowing Internal Access and File Read

A server-side request forgery (SSRF) vulnerability has been identified in Group-Office versions prior to 6.8.150, 25.0.82, and 26.0.5. This vulnerability allows an authenticated user in the System Administrator group to exploit the WOPI service discovery URL, accessing internal hosts and ports. The response from the SSRF can be exfiltrated through the application's debug system, making the SSRF exploitation visible. Additionally, this vulnerability permits unrestricted server-side file reading.

Impact

Exploitation of this vulnerability allows for server-side request forgery, with the potential to read internal files if file URLs are supported by cURL.

Reproduction

To reproduce this vulnerability, an authenticated user in the System Administrator group can send a request to the WOPI service discovery URL with a crafted payload that includes internal hosts or file URLs. The response can then be retrieved through the application's debug system, which is accessible via a separate JMAP call.

Remediation

Users can upgrade to Group-Office versions 6.8.150, 25.0.82, or 26.0.5 to address this vulnerability.