SSRF Vulnerability in MetInfo 8.0 via SVG File Upload

SSRF Vulnerability in MetInfo 8.0 via SVG File Upload

Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in MetInfo 8.0 that allows attackers to make arbitrary HTTP requests from the server by uploading malicious SVG files. The vulnerability occurs in the column management component where uploaded SVG files with embedded external image references can trigger outbound requests to attacker-controlled servers.

Affected Product

  • Product: MetInfo CMS
  • Version: 8.0
  • Component: Column Management (app\system\column\admin\index.class.php)
  • CWE: CWE-918: Server-Side Request Forgery (SSRF)

Technical Details

The environment was set up locally using PHPStudy, accessing the site at http://metlnfo/. After logging into the admin panel, I navigated to the column management section at http://metlnfo/admin/#/column where file upload functionality was discovered.

Column management interface:

Column Management Interface

File upload functionality in settings:

File Upload Interface

Proof of Concept (PoC)

The vulnerability can be exploited by uploading an SVG file containing an external image reference that points to an attacker-controlled server. The SVG payload is as follows:

1
2
3
4
<svg xmlns="http://www.w3.org/2000/svg"
   xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://XXX.XXX.XXX.XXX:8000" />
</svg>

Upload the malicious SVG file through the column management interface:

SVG Upload Success

When the uploaded SVG is viewed or processed by the server, it triggers an outbound HTTP request to the specified URL:

SSRF Request Execution

The attacker’s server receives the request, confirming successful SSRF exploitation:

SSRF Confirmation

Impact

  • Type: Server-Side Request Forgery (SSRF)
  • Who is impacted: The MetInfo server and internal network resources
  • Consequences:
    1. Unauthorized outbound HTTP requests from the server
    2. Potential access to internal services and resources
    3. Information disclosure through request responses
    4. Potential for further attacks against internal infrastructure

Remediation

To mitigate this SSRF vulnerability, MetInfo should:

  1. Implement strict file type validation for uploaded files
  2. Sanitize SVG content to remove external references before processing
  3. Use a whitelist of allowed domains for external resource loading
  4. Implement network-level restrictions to prevent outbound requests to internal networks
  5. Consider using a content security policy to restrict external resource loading

Timeline

  • 2025-08-22: Vulnerability discovered and documented
  • 2025-10-17: Additional testing and confirmation
  • [Future Date]: Vendor notified
  • [Future Date]: CVE requested/assigned