CraftQL Server-Side Request Forgery Vulnerability Allowing Arbitrary Code Execution

A Server-Side Request Forgery (SSRF) vulnerability has been identified in CraftQL versions through 1.3.7. This vulnerability allows attackers to execute arbitrary code by exploiting the handling of remote URLs in Asset field GraphQL mutations. The issue arises because CraftQL uses the 'file_get_contents()' function to fetch user-provided URLs without any validation, enabling access to local files, internal network resources, and cloud service metadata.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files, internal network resources, and cloud service metadata, including sensitive credentials.

Reproduction

To reproduce this vulnerability, CraftQL must be installed on a Craft CMS 3.x environment. Once the vulnerable version of CraftQL is active, a GraphQL mutation can be crafted to include a remote URL that exploits the SSRF vulnerability. This can be done by uploading an asset through a GraphQL mutation and including a URL that the server-side can fetch. The absence of URL validation allows for the exploitation of various protocols, such as 'file://' to read local files or 'http://' to scan internal network services.

Remediation

Users can disable the CraftQL plugin, restrict GraphQL API access to trusted IPs, revoke and regenerate GraphQL tokens with strict permissions, or monitor outbound traffic to detect and respond to potential exploitation.