Akaunting Server-Side Request Forgery Vulnerability in Invoice PDF Rendering Component

A server-side request forgery (SSRF) vulnerability has been identified in Akaunting version 3.1.21. The issue arises in the Invoice PDF Rendering component, specifically within the file config/dompdf.php. The vulnerability allows an authenticated user who can create or edit invoices to inject external resource tags into the notes section. When the PDF is generated, the server fetches these resources, potentially leading to unauthorized access of internal or attacker-controlled URLs.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server perform outbound requests to external or internal URLs of their choice.

Reproduction

To reproduce this vulnerability, log into an Akaunting 3.1.21 account with permission to create or edit invoices. Once logged in, navigate to the invoice creation or editing section. In the notes field, inject an image tag pointing to an external URL. After saving the invoice, download the PDF version. The server will fetch the resource from the injected URL, demonstrating the SSRF vulnerability.

Remediation

It is recommended to disable remote fetching in Dompdf, restrict downloadable URL links to only http and https, and block loopback, private, link-local, and reserved IP ranges. Additionally, re-validate stored URLs at the time of download, use a dedicated HTTP client with redirect limits and timeouts, and if external URLs are not needed, remove URL-based downloadable links entirely.