Squidex Blind Server-Side Request Forgery Vulnerability in Restore API Allowing Local File Interaction

A blind server-side request forgery (SSRF) vulnerability has been identified in the Squidex Restore API, prior to version 7.23.0. The issue arises because the API does not properly validate the URI scheme of the user-supplied 'Url' parameter, allowing the 'file://' protocol to be used. This vulnerability enables authenticated administrators to manipulate the backend server into accessing the local filesystem, potentially leading to local file interaction (LFI) and the unauthorized disclosure of sensitive system information through side-channel analysis of internal logs.

Impact

Exploitation of this vulnerability allows authenticated administrators to access and read local files on the server. This could be used to confirm the presence of sensitive files, such as application configuration files containing secrets, or to access backup files belonging to other users in a multi-tenant environment.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the '/api/apps/restore' endpoint with a 'Url' parameter that uses the 'file://' scheme, such as 'file:///etc/passwd'. The request should include a valid authorization token. Once the request is processed, the server logs will reveal that the file was successfully accessed, demonstrating the exploitation of the SSRF vulnerability.

Remediation

Users can update to Squidex version 7.23.0 or later, where this vulnerability has been fixed. Additionally, it is recommended to configure the application to disallow restores from local files by setting the 'BACKUPS__ALLOWRESTOREFROMLOCALFILES' option to 'false'.