EspoCRM Server-Side Request Forgery Vulnerability in Attachment API

A server-side request forgery (SSRF) vulnerability has been identified in EspoCRM versions 9.3.3 and prior. This vulnerability allows authenticated users to bypass internal host validation by using alternative IPv4 representations, such as octal notation. The issue arises because the validation function relies on PHP's filter_var to validate IP addresses, which does not recognize these alternative formats. As a result, the validation incorrectly allows requests to loopback-only services, potentially accessing internal resources from the application runtime. The vulnerability has been confirmed in the '/api/v1/Attachment/fromImageUrl' endpoint, where the fetched response can be stored as an attachment.

Impact

Exploitation of this vulnerability allows authenticated users to bypass internal host restrictions, enabling the application to make requests to loopback-only services. The fetched responses can be stored as attachments, potentially facilitating access to local-only services and other internal resources reachable from the application runtime.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/v1/Attachment/fromImageUrl' endpoint. The request must include a URL pointing to a loopback-only service, using an alternative IPv4 representation in octal notation. Once the request is processed, the application will create an attachment from the fetched response, confirming that the SSRF vulnerability has been successfully exploited.

Remediation

Users can upgrade to EspoCRM version 9.3.4, which addresses this vulnerability.