Headline
GHSA-3cpp-fv95-mpr5: Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
Impact
This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet.
The overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags.
Description
Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.
Applicability
The PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF) vulnerability. Administrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers. To exploit this vulnerability, an admin account is required.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
- Log in as an admin and navigate to the following URL: https://<your-site>.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=false
- Click the button ‘Create document’ and create a ‘Partial cancellation’ document.
- As a comment add the following code:
<img src="<malicious image link>" width="250" height="100"/>
- Press the preview button to view the PFD.
- Observe that the image is shown in the PDF.
Impact
This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet.
The overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags.
Description
Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the
organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.
Applicability
The PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF)
vulnerability.
Administrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers.
To exploit this vulnerability, an admin account is required.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
Log in as an admin and navigate to the following URL:
https://.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=falseClick the button ‘Create document’ and create a ‘Partial cancellation’ document.
As a comment add the following code:
<img src="<malicious image link>" width="250" height="100"/>
- Press the preview button to view the PFD.
- Observe that the image is shown in the PDF.
References
- GHSA-3cpp-fv95-mpr5
- shopware/shopware@f32737b