Bagisto Server-Side Request Forgery Vulnerability in Downloadable Link Handler

A server-side request forgery (SSRF) vulnerability has been identified in Bagisto versions through 2.3.15, specifically within the Downloadable Link Handler component. This vulnerability allows authenticated users with permission to manage downloadable products to input arbitrary URLs for downloadable links. The application fails to properly validate these URLs, which are later fetched by the server using PHP's copy() function when a customer downloads the product. This exploitation can lead to unauthorized access to internal network resources or local files via the file:// protocol or direct filesystem paths.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server is tricked into making requests to internal or external systems on behalf of the attacker. Additionally, it enables arbitrary local file reading by accessing files through the file:// protocol or direct filesystem paths, effectively exfiltrating local file contents to the user.

Reproduction

To reproduce this vulnerability, log into the Bagisto admin panel with a user account that has permissions to manage downloadable products. Create a product of the downloadable type and enter a malicious URL in the Downloadable Links section, selecting 'URL' as the file type. After saving the product, log in as a customer, purchase the item, and download it. The server will then execute the SSRF or local file read attack based on the URL payload used.

Remediation

It is recommended to restrict downloadable URL links to only allow http and https protocols, rejecting file:// URLs, local paths, and unsupported stream wrappers. DNS resolution should be used to block loopback, private, link-local, and reserved IP ranges. URLs should be re-validated at the time of download, not just when saving. If external URLs are not needed, consider removing URL-based downloadable links altogether and allow only uploaded files.