SSRF via Referrer field in ChurchCRM v5.16.0

Title: SSRF via Referrer field in ChurchCRM v5.16.0

Affected Component: all

CWE: CWE-918 (SSRF)

CVSS 4.0 Score: 5.3 (Moderate)

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vendor homepage:

https://github.com/ChurchCRM/CRM/

Summary

ChurchCRM doesn't validate the referrer properly and sends a HEAD request to the provided referrer. When a user is logged in and does a GET request to the Dashboard for example with an external referrer, a HEAD request is sent.

This is sent to any external host. If an attacker can gather credentials from several ChurchCRM sites - an attacker can initiate a remote DDOS attack.

PoC

Single request: 

Single referrer HEAD request: 

Multiple requests sent to ChurchCRM: 

Multiple requests received: 

Impact

Server Side Request Forgery allowing an attacker to use servers with ChurchCRM on to send HEAD requests causing a DoS.