Kalacaddle Kodbox Server-Side Request Forgery Vulnerability in Share Management Endpoint

A server-side request forgery (SSRF) vulnerability has been identified in Kalacaddle Kodbox versions through 1.64. The issue arises in the share management component, specifically within the shareMake and shareCheck functions. The vulnerability allows remote attackers to manipulate the siteFrom and siteTo parameters, coercing the server into making HTTP requests to arbitrary internal or external URLs. This could potentially access sensitive resources or internal services only reachable from the server's network. The vulnerability exploits a hard-coded cryptographic key used for token validation, enabling unauthorized modifications of share configurations, including those targeting high-privilege users such as admins.

Impact

Exploitation of this vulnerability allows for unauthorized creation and modification of share records, bypassing authentication and authorization requirements. This could lead to unauthorized access or manipulation of shared resources, particularly if high-privilege users are targeted. Additionally, the SSRF aspect of the vulnerability could be exploited to access internal services or sensitive metadata endpoints.

Reproduction

To reproduce this vulnerability, send a GET request to the Kodbox server's shareOut/shareMake endpoint. Include a forged _check parameter that has been generated using the Mcrypt encoding method with the hard-coded key 'kodShareOut'. The siteFrom and siteTo parameters can be set to any URL, allowing the server to make requests to those locations. This can be done without any authentication, as the server accepts the forged _check token as valid.

Remediation

Users are advised to update to a version of Kodbox that addresses this vulnerability. For those unable to update, it is recommended to remove the hard-coded 'kodShareOut' key from the share management endpoint and implement proper authentication and authorization checks.