Suite CRM v7.14.2 - SSRF

Summary

Vulnerability

Description

Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is vulnerable to SSRF.

Vulnerability

A server request forgery (SSRF) vulnerability has been identified in Suite CRM that, under certain conditions, could allow a user to make arbitrary HTTP requests through the vulnerable server.

The vulnerability exists because a user-entered URL is passed to the getimagesize function.

public function handleInput($feed, $link_type, $link_url) { parent::handleInput($feed, $link_type, $link_url); // The FeedLinkHandlerLink class will help sort this url out for us $link_url = $feed->link_url; // Vulnerability Here $imageData = getimagesize($link_url); if (! isset($imageData)) { // The image didn't pull down properly, could be a link and allow_url_fopen could be disabled $imageData[0] = 0; $imageData[1] = 0; } else { if (max($imageData[0], $imageData[1]) > 425) { // This is a large image, we need to set some specific width/height properties so that the browser can scale it. $scale = 425 / max($imageData[0], $imageData[1]); $imageData[0] = floor($imageData[0]*$scale); $imageData[1] = floor($imageData[1]*$scale); } } $feed->link_url = base64_encode(serialize(array('url'=>$link_url,'width'=>$imageData[0],'height'=>$imageData[1])));
}

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-6388 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Suite CRM v7.14.2

• Operating System: MacOS

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/salesagility/SuiteCRM/

Timeline