Craft CMS Server-Side Request Forgery Vulnerability via Host Header Injection

A server-side request forgery (SSRF) vulnerability has been identified in Craft CMS versions 4.x prior to 4.17.9 and 5.x prior to 5.9.15. The issue arises in the 'resource-js' endpoint, which allows unauthenticated requests to proxy remote JavaScript resources. When the 'trustedHosts' configuration is not explicitly set (default behavior), the application accepts the client-supplied Host header. This acceptance enables an attacker to manipulate the 'baseUrl' used for validation in the 'actionResourceJs()' function. By sending a malicious Host header, the attacker can cause the server to make arbitrary HTTP requests, exploiting the application for SSRF.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making HTTP requests to internal or external resources on behalf of the attacker.

Reproduction

To reproduce this vulnerability, send a request to the 'resource-js' endpoint with a controlled Host header, while using Craft CMS version 5.9.12 with the default configuration that does not restrict trusted hosts. This can be done by deploying Craft CMS in a Docker container, starting a listener on an internal port, and then sending the request with the malicious Host header. The listener will receive the request, confirming the successful exploitation of the vulnerability.

Remediation

Users can update to Craft CMS versions 4.17.9 or 5.9.15, which patch this vulnerability.