Halo Server-Side Request Forgery Vulnerability in Theme Installation Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Halo version 2.22.14. This vulnerability allows authenticated attackers to send crafted GET requests that can scan internal resources. The issue arises in the '/themes/-/install-from-uri' endpoint, where user-controlled URI inputs are accepted without proper validation, enabling requests to internal network addresses.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal resources that are not exposed externally, potentially causing resource disclosure issues.

Reproduction

To reproduce this vulnerability, send a request to the '/apis/uc.api.storage.halo.run/v1alpha1/themes/-/install-from-uri' endpoint with a URI pointing to an external server. The external server should be set up to intercept the request and redirect it to an internal address. If successful, a service running on the internal network can be accessed through the SSRF vulnerability.

Remediation

It is recommended to implement a blacklist mechanism to filter out internal IP addresses from being accessed via the vulnerable endpoint.