ProcessWire CMS Server-Side Request Forgery Vulnerability in Module Installation Feature

A server-side request forgery (SSRF) vulnerability has been identified in ProcessWire CMS versions through 3.0.255. This vulnerability resides in the admin panel's 'Add Module From URL' feature, which allows authenticated administrators to submit arbitrary URLs for module downloads. Exploitation of this vulnerability enables the server to make outbound HTTP requests to internal or external hosts controlled by an attacker. The vulnerability is exacerbated by the presence of detailed error messages that can be used to conduct internal network port scanning, host enumeration within private IP ranges, and access cloud instance metadata endpoints.

Impact

Exploitation of this vulnerability allows for internal network port scanning, enumeration of hosts and services in private IP ranges, access to cloud metadata endpoints on services like AWS, GCP, and Azure, and potential data exfiltration via DNS.

Reproduction

To reproduce this vulnerability, an authenticated administrator must enable the 'Add Module From URL' feature in the ProcessWire CMS admin panel. Once enabled, the administrator can navigate to the 'Modules' section and select 'Add Module From URL'. By entering a URL that points to an internal host or a specific port on the loopback interface, the server will make a request to that URL. The response can be used to determine if the port is open or closed, effectively allowing for internal port scanning.

Remediation

To address this vulnerability, administrators should disable the 'Add Module From URL' feature if it is not needed. If the feature must be enabled, it should be restricted to a higher privilege role than standard admin and outbound requests should be allowlisted to trusted domains or IP ranges. Additionally, internal IP ranges should be blocked by validating the resolved IP address of any supplied URL before making the request, rejecting those that resolve to loopback, link-local, or private ranges. Finally, verbose error messages should be suppressed to prevent information leakage.