Admidio Unrestricted URL Fetch Vulnerability in SSO Metadata API Leading to SSRF and Local File Read

A vulnerability in Admidio versions 5.0.0 through 5.0.6 allows authenticated administrators to exploit the SSO Metadata API. The fetch_metadata.php endpoint accepts arbitrary URLs via a GET parameter, validates them with PHP's FILTER_VALIDATE_URL, and directly retrieves their contents using file_get_contents(). This validation is insufficient, as it permits various URI schemes, including file://, http://, ftp://, data://, and php://. Exploitation of this vulnerability can lead to Server-Side Request Forgery (SSRF) attacks, access to internal services, or unauthorized reading of local files through the file:// protocol. The fetched data is returned verbatim to the requester.

Impact

Exploitation allows for unrestricted file reads, with potential access to sensitive files such as the database configuration, which contains plaintext credentials. On AWS, this vulnerability could be used to access instance metadata and IAM credentials. Additionally, the SSRF capability could be used to interact with internal services not exposed to the public.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a GET request to the SSO Metadata fetch endpoint with a URL parameter that includes a file:// URI pointing to a readable local file, such as the database configuration file. The response will include the contents of the specified file, demonstrating the local file read capability. Alternatively, a URL parameter can be used to access internal services via http://, showcasing the SSRF vulnerability.

Remediation

Users are advised to update to Admidio version 5.0.7, which restricts the URL fetch to HTTPS schemes, validates URLs more securely, and uses cURL for fetching metadata with added protections.