BidingCC BuildingAI Server-Side Request Forgery Vulnerability in Remote Upload API

A server-side request forgery (SSRF) vulnerability has been identified in BidingCC BuildingAI versions through 26.0.1. The issue arises in the remote upload API, specifically within the 'uploadRemoteFile' function of the 'file-storage.service.ts' module. The vulnerability allows unauthenticated attackers to manipulate the 'url' parameter, enabling them to coerce the server into making unauthorized HTTP requests. This could be exploited to access internal services or cloud metadata endpoints.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to be made from the server, potentially accessing internal services or sensitive metadata. This could lead to unauthorized information disclosure or manipulation, depending on the nature of the accessed resources.

Reproduction

To reproduce this vulnerability, send a POST request to the '/upload/remote' endpoint with a JSON payload that includes a maliciously crafted URL. The server will then fetch the URL's content, demonstrating the SSRF vulnerability. This can be verified by observing the server's response or by intercepting the request to the attacker-controlled URL.

Remediation

It is recommended to disable the public remote upload endpoint if not needed, and to implement a strict allowlist for URLs that can be fetched. Additionally, block access to loopback and private IP addresses after DNS resolution, and consider adding authentication and rate limiting to the remote upload endpoint.