Kalcaddle Kodbox Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Kalcaddle Kodbox version 1.64. The issue arises in the fileGet endpoint, specifically within the PathDriverUrl function of editor.class.php. The vulnerability allows authenticated users to manipulate the path parameter and send requests to internal services, exfiltrating the responses. This exploitation is possible because the application does not adequately validate or restrict internal addresses and allows various protocols such as HTTP, HTTPS, and FTP.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal services and retrieve their responses, potentially leading to unauthorized access to internal resources or information.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the fileGet endpoint with a crafted URL in the path parameter. The server will then fetch the resource from the specified URL and return the response, effectively allowing the user to access internal services.

Remediation

It is recommended that Kodbox stops accepting arbitrary URLs in the path parameter of the fileGet endpoint. If remote reads are necessary, the application should enforce strict domain allowlisting, robust IP or netblock restrictions, scheme and port limits, safe redirect handling, and thorough logging and access control for all remote fetch operations.