Server-Side Request Forgery (SSRF) in janeczku/calibre-web


# Title Blind SSRF via URL fetch # Summary `calibre-web` allows external URL fetching in order to upload a book cover. However, instead of external URL it is possible to point to localhost, which will be reached resulting in blind SSRF. # Steps to reproduce 1. 1\. As an admin give permissions to upload files and edit books to any staff. 2. 2\. As an admin run any server on localhost to see the SSRF. 3. 3\. As a malicious staff go to books section -> select any book -> edit metadata -> in the `Fetch Cover from URL` field specify the address of service that you ran as an admin -> save the book. 4. 4\. As an admin observe that service on localhost was reached. # PoC: As a service for PoC I used python simple server - `python -m http.server 1234`. Also you may tunnel `calibre-web` server using `ngrok` - `ngrok http 1234` - to prove that it is exploitable in real environment (I already did, just wanted to make video PoC as short as possible). [Video PoC](https://www.youtube.com/watch?v=qU3IJme84Mg) # Impact This vulnerability is capable of port scanning and even may execute some actions on victim's side in case there are sensitive services on localhost.