Roadiz Documents Server-Side Request Forgery Vulnerability Allowing Local File Read

A server-side request forgery (SSRF) vulnerability has been identified in Roadiz Documents versions prior to 2.7.9, 2.6.28, 2.5.44, and 2.3.42. This vulnerability allows authenticated attackers with the 'ROLE_ACCESS_DOCUMENTS' permission to read any file on the server's local file system that the web server process can access. Exploitation of this vulnerability could lead to the disclosure of sensitive information such as environment variables, database credentials, and internal configuration files.

Impact

Successful exploitation of this vulnerability allows for unauthorized access to sensitive files, including environment files and database credentials, which could lead to a complete compromise of the web application and underlying operating system. In cloud environments, this vulnerability could be exploited to access internal metadata endpoints, potentially compromising the entire infrastructure.

Reproduction

To reproduce this vulnerability, an authenticated user with the 'ROLE_ACCESS_DOCUMENTS' permission can upload a malicious podcast RSS feed that includes a 'file://' URL targeting a sensitive file, such as the environment file. The Roadiz application will then read the file and make it available through the Media Manager.

Remediation

Users can upgrade to Roadiz Documents versions 2.7.9, 2.6.28, 2.5.44, or 2.3.42 to address this vulnerability.