O2OA Server-Side Request Forgery Vulnerability in URL Fetching Component

A server-side request forgery (SSRF) vulnerability has been identified in O2OA versions through 10.0. The issue resides in the URL fetching functionality, specifically within the FileAction component. The vulnerability allows authenticated users to manipulate the fileUrl parameter, enabling the server to make unauthorized requests to internal or loopback resources. This could lead to exposure of sensitive information, as the fetched data is returned to the user through the application's file download API.

Impact

Exploitation of this vulnerability allows authenticated users to make the O2OA server fetch internal or loopback resources that are not otherwise accessible, and read the response through the application's file download API, leading to information disclosure.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/x_file_assemble_control/jaxrs/file/upload/with/url' endpoint, including a JSON body that specifies a user-controlled URL in the 'fileUrl' field. The O2OA server will then fetch the content from the specified URL and return it via the file download endpoint.

Remediation

It is recommended to restrict the upload-by-URL feature to a defined allowlist of trusted domains, avoid using '*' as a default for outbound HTTP access, and validate URLs to reject loopback, private, and multicast addresses before processing the request. Additionally, consider limiting this feature to administrative roles or disabling it by default.