CVE-2023-46725: 
PHP vulnerability analysis and mitigation

FoodCoopShop, an open source software for food coops and local shops, was found to contain a server-side request forgery (SSRF) vulnerability in versions 3.2.0 through 3.6.0. The vulnerability was discovered and disclosed on November 2, 2023, and was assigned CVE-2023-46725. The issue affects the Network module of the application, specifically impacting manufacturer accounts with access to the /api/updateProducts.json endpoint (GitHub Advisory).

The vulnerability exists in the Network module where a manufacturer account can exploit the /api/updateProducts.json endpoint to make the server send requests to arbitrary hosts. The issue is compounded by inadequate image validation checks, leading to a time-of-check-time-of-use (TOCTOU) race condition. The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) from NIST and 8.1 (HIGH) from GitHub, indicating its serious nature. The weakness is classified under CWE-918 (Server-Side Request Forgery) and CWE-367 (Time-of-check Time-of-use Race Condition) (NVD).

The vulnerability allows an attacker to use the server as a proxy into the internal network where the server is deployed. By leveraging a custom server that returns a 200 status on HEAD requests, followed by a valid image on the first GET request and a 302 redirect to a final target on the second GET request, an attacker can make the server download arbitrary files from the redirect destination, effectively achieving a full SSRF attack (GitHub Advisory).

The vulnerability has been patched in version 3.6.1 of FoodCoopShop. The fix includes implementing improved host validation checks and addressing the TOCTOU issue. Organizations running affected versions should upgrade to version 3.6.1 immediately (GitHub Patch).