Tandoor Recipes Cookmate Integration Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in the Cookmate recipe import feature of Tandoor Recipes, prior to version 2.5.1. The vulnerability arises because the application does not properly validate destination URLs after following HTTP redirects. This flaw allows any authenticated user, including those without administrative privileges, to manipulate the server into connecting to arbitrary internal or external resources. The issue is located in the Cookmate integration class within the file 'cookbook/integration/cookmate.py'. Exploitation of this vulnerability could lead to internal network port scanning, unauthorized access to cloud instance metadata (such as AWS or GCP metadata services), or disclosure of the server's real IP address.

Impact

Successful exploitation allows for blind SSRF, with potential access to internal network resources, cloud metadata services, and the server's real IP address.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a crafted XML file containing a malicious 'imageurl' field that points to an external service (like httpbin.org) which will then redirect to an internal resource. This can be done through the Tandoor Recipes API by sending a POST request to '/api/import/' with the malicious XML file included.

Remediation

Users are advised to update to Tandoor Recipes version 2.5.1 or later, where this vulnerability has been fixed.