EspoCRM Server-Side Request Forgery Vulnerability via DNS Rebinding in Attachment Upload Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in EspoCRM versions through 9.3.3. The issue arises in the POST /api/v1/Attachment/fromImageUrl endpoint, where host validation relies on dns_get_record() while the actual HTTP request uses curl's internal resolver. This creates a time-of-check to time-of-use (TOCTOU) condition, allowing an authenticated attacker with attachment creation access to bypass internal IP restrictions, scan network ports, and interact with internal HTTP-based services. The vulnerability has been patched in version 9.3.4.

Impact

Exploitation of this vulnerability allows for internal network scanning and access to HTTP-based services, potentially leading to further attacks within the internal network. However, the endpoint does not support data extraction from binary protocol services or remote code execution.

Reproduction

To reproduce this vulnerability, an authenticated user with attachment access can upload an image via the 'fromImageUrl' endpoint. By registering a domain that can be controlled to point to internal IPs, the DNS rebinding can be exploited. After the initial upload, the domain can be switched to an internal IP, bypassing the application's internal host checks and accessing restricted network services.

Remediation

Users can update to EspoCRM version 9.3.4, where this vulnerability has been fixed.