Description

The SSRF vulnerability in OSTickets detailed in CVE-2020-24881 is still unfixed, attackers can still make arbitrary requests via the server to the private network via the PDF print generator although they will not be able to exfiltrate anything other than image data.

Proof of Concept

1. Create a new ticket
2. Select “HTML Format” format.
3. The following payload queries localhost

<figure><img src="http://localhost/index.png" alt="image"></figure>

4. After submitting this comment, print this ticket via PDF
5. You’ll receive a request from localhost in Apache logs, indicating that the server is making a request to an private IP addresses

Impact

This vulnerability is capable of internal portscans, interaction with internal webservers via GET requests, as well as information disclosure of images on the internal network

For instance if I were to host an image in the internal server containing some kind of secret.png at http://localhost:8000/secret.png
Then doing this will allow me to embed the secret.png at http://localhost:8000/secret.png into the PDF, causing information disclosure.

Recommended Fix

Blacklist localhost IPs and private IP addresses when printing PDFs